Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A flaw has been found in Kilo-Org kilocode up to 7.0.47. This issue affects the function Load of the file packages/opencode/src/config/config.ts of the component Environment Variable Handler. Executing a manipulation of the argument KILO_CONFIG_CONTENT can lead to information disclosure. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Information disclosure in Kilo-Org Kilocode versions up to 7.0.47 allows authenticated remote attackers to access sensitive configuration data by manipulating the KILO_CONFIG_CONTENT environment variable through the config.ts Load function. Public exploit code exists (EPSS probability data not provided), enabling low-complexity attacks that expose confidential information without requiring user interaction. The vendor has been unresponsive to disclosure attempts, and no patch release has been confirmed.
Technical ContextAI
This vulnerability affects the Environment Variable Handler component of Kilocode, specifically the Load function in packages/opencode/src/config/config.ts. The issue stems from CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where improper validation or sanitization of the KILO_CONFIG_CONTENT environment variable allows attackers to manipulate configuration loading mechanisms. Environment variable injection vulnerabilities commonly occur in Node.js/TypeScript applications when user-controlled input influences configuration file paths or content loading without adequate input validation. The affected CPE (cpe:2.3:a:kilo-org:kilocode:*:*:*:*:*:*:*:*) indicates this is a widespread issue across the Kilocode product line through version 7.0.47.
RemediationAI
No vendor-released patch identified at time of analysis despite early vendor notification. Organizations using Kilocode 7.0.47 or earlier should implement compensating controls immediately. Restrict access to environment variable configuration mechanisms by enforcing strict authentication and authorization on any interfaces that accept or process KILO_CONFIG_CONTENT values-this may require code-level changes to validate input sources. Deploy runtime application self-protection (RASP) or web application firewall (WAF) rules to detect and block requests attempting to inject malicious content into environment variables, though this may cause false positives if legitimate configuration updates use similar patterns. Isolate Kilocode instances in network segments with minimal exposure and limit authenticated user permissions to only those requiring configuration access, accepting the operational overhead of manual configuration management. Monitor application logs for anomalous Load function calls or environment variable modifications. Consider migrating to alternative configuration management solutions if vendor continues non-responsiveness. The public exploit at https://gist.github.com/YLChen-007/32b444e49ced1a46bde5a68933ccd09f should be reviewed to understand exact attack techniques for detection rule development.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30710
GHSA-rpc6-9c4p-j5cg