Skip to main content

Rtk

2 CVEs product

Monthly

CVE-2026-54555 HIGH PATCH This Week

Authorization bypass in rtk (rtk-ai) prior to 0.42.2 allows hidden command execution to slip past the permission splitter that gates the Claude Code permission hook. Because the splitter fails to handle Bash command-execution boundary constructs (such as command substitution and chained operators) inside an allowlisted prefix like git, rtk rewrite returns exit code 0 and the hook emits permissionDecision: "allow", causing the secondary command to execute without the user confirmation the policy was supposed to require. No public exploit identified at time of analysis and the issue is not in CISA KEV.

Authentication Bypass Rtk
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-55249 HIGH This Week

Arbitrary OS command execution in the @rtk-ai/rtk-rewrite 1.0.0 OpenClaw plugin allows an attacker who can influence the exec tool's command parameter - for example through an LLM agent prompt or gateway/tool-call input - to run commands with the privileges of the plugin/gateway process. The flaw stems from unsanitized input being interpolated into a shell-backed execSync() template that /bin/sh -c expands, letting $() and backtick substitutions fire before rtk runs. SSVC lists a proof-of-concept as available, though EPSS is low (0.23%, 14th percentile) and it is not in CISA KEV.

Command Injection Rtk
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.2%
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Authorization bypass in rtk (rtk-ai) prior to 0.42.2 allows hidden command execution to slip past the permission splitter that gates the Claude Code permission hook. Because the splitter fails to handle Bash command-execution boundary constructs (such as command substitution and chained operators) inside an allowlisted prefix like git, rtk rewrite returns exit code 0 and the hook emits permissionDecision: "allow", causing the secondary command to execute without the user confirmation the policy was supposed to require. No public exploit identified at time of analysis and the issue is not in CISA KEV.

Authentication Bypass Rtk
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Arbitrary OS command execution in the @rtk-ai/rtk-rewrite 1.0.0 OpenClaw plugin allows an attacker who can influence the exec tool's command parameter - for example through an LLM agent prompt or gateway/tool-call input - to run commands with the privileges of the plugin/gateway process. The flaw stems from unsanitized input being interpolated into a shell-backed execSync() template that /bin/sh -c expands, letting $() and backtick substitutions fire before rtk runs. SSVC lists a proof-of-concept as available, though EPSS is low (0.23%, 14th percentile) and it is not in CISA KEV.

Command Injection Rtk
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy