Skip to main content

RTK CVE-2026-45792

| EUVDEUVD-2026-38572 MEDIUM
Insufficient Verification of Data Authenticity (CWE-345)
2026-05-20 https://github.com/rtk-ai/rtk GHSA-fvvm-949w-qj4w
6.9
CVSS 4.0 · Vendor: https://github.com/rtk-ai/rtk
Share

Severity by source

Vendor (https://github.com/rtk-ai/rtk) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/rtk-ai/rtk) · only source for this CVE.

CVSS VectorVendor: https://github.com/rtk-ai/rtk

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 23, 2026 - 20:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
May 20, 2026 - 16:03 vuln.today
Analysis Generated
May 20, 2026 - 16:03 vuln.today

DescriptionCVE.org

RTK (Rust Token Killer) improperly trusts project-local configuration files. In versions prior to 0.32.0, RTK automatically loads .rtk/filters.toml from the working directory with highest priority and without user notification. An attacker can place a malicious filter file in a repository to apply regex-based modifications (e.g., strip_lines_matching) to shell command output before it is shown to the LLM, without any indication that the output has been modified.

This allows attackers to selectively suppress or alter command output (including file contents, diffs, and security scan results) without detection, potentially concealing malicious code during AI-assisted development or review.

Patch

Fixed in v0.32.0 (PRs #623, #625):

  • .rtk/filters.toml is now blocked by default when untrusted, with a visible warning: [rtk] WARNING: untrusted project filters - Filters NOT applied. Run rtk trust to review and enable.
  • SHA-256 hash verification: if the file changes after trust, filters are blocked again until re-reviewed.
  • New rtk trust / rtk untrust commands for explicit user consent.
  • Trust store implemented in src/trust.rs; trust gate added in src/toml_filter.rs.

AnalysisAI

Silent output manipulation in RTK (Rust Token Killer) prior to v0.32.0 allows an attacker who can place a file in a repository to intercept and alter all shell command output before it reaches an LLM during AI-assisted development. The root cause is that RTK unconditionally loaded .rtk/filters.toml from the current working directory with highest priority and no user notification, enabling regex-based suppression or rewriting of file contents, diffs, and security scan results. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV; however, the attack surface - repository-committed config files silently hijacking LLM context - is particularly relevant to AI-assisted development pipelines where developers may not scrutinize every checked-in config.

Technical ContextAI

RTK is a Rust CLI tool (pkg:rust/rtk) designed to preprocess and filter token streams before they are passed to a large language model. It supports a layered configuration system, with project-local .rtk/filters.toml loaded from the current working directory at highest priority. In versions prior to 0.32.0, this file was read and applied unconditionally via std::fs::read_to_string in src/toml_filter.rs without any trust verification or user consent step. The root cause maps to CWE-345 (Insufficient Verification of Data Authenticity): RTK failed to distinguish between configuration files the user had explicitly reviewed and untrusted files introduced by third parties. Filter primitives such as strip_lines_matching and replace allow arbitrary regex-based transformation of any string passed through the pipeline, making it straightforward to suppress security scanner output, redact diff hunks, or rewrite file contents - all silently. The fix in v0.32.0 introduces a SHA-256 trust store in src/trust.rs and a trust gate in src/toml_filter.rs that blocks filter application unless the user has explicitly run rtk trust against a specific file hash.

RemediationAI

Upgrade RTK to version 0.32.0 or later, which is the vendor-released patch confirmed by GHSA-fvvm-949w-qj4w (https://github.com/rtk-ai/rtk/security/advisories/GHSA-fvvm-949w-qj4w) and PRs #623 and #625. After upgrading, any repository containing .rtk/filters.toml will produce a visible warning and filters will not be applied until the user explicitly runs rtk trust in that directory. For users who cannot immediately upgrade, a compensating control is to manually inspect any .rtk/filters.toml present in repositories before running RTK, and to avoid running pre-0.32.0 RTK in directories cloned from untrusted sources. CI pipelines that legitimately need project filters can set RTK_TRUST_PROJECT_FILTERS=1 as documented in the patched src/trust.rs, but this should only be applied to repositories with verified, controlled content. There is no network-level mitigation available since the attack is filesystem-based.

Share

CVE-2026-45792 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy