Description
CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the task_create tool spawns durable sub-agents that inherit two insecure defaults, allow_shell defaults to true (config.rs:1499: self.allow_shell.unwrap_or(true)) and auto_approve defaults to true (task_manager.rs:297: auto_approve: Some(true)). When a user approves a task_create call (which requires ApprovalRequirement::Required), they approve what appears to be a benign work prompt. However, the spawned sub-agent silently receives unrestricted, unapproved shell access. This vulnerability is fixed in 0.8.26.
Published: 2026-05-28
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the task_create tool of CodeWhale, which locally spawns sub‑agents with insecure default settings: allow_shell defaults to true and auto_approve defaults to true. When a user (who must approve the task) accepts a seemingly harmless prompt, the sub‑agent inherits unrestricted shell access and can execute arbitrary commands. This results in a remote code execution flaw that an attacker can exploit to run code with the privileges of the user who approves the task.

Affected Systems

Hmbown:CodeWhale, any version prior to 0.8.26. The affected versions are those built before the fix introduced in release 0.8.26.

Risk and Exploitability

The CVSS score is 9.6, indicating critical risk. EPSS data is not available, but the absence of this metric does not diminish the severity implied by the CVSS analysis. The exploit requires that an attacker has the ability to trigger and approve a task_create call—typically an authenticated, authorized user. Thus the potential impact is high, and the attack vector is likely local or within a user’s session. This vulnerability is not listed in CISA KEV, but given the critical severity and the straightforward attack path, prompt remediation is strongly recommended.

Generated by OpenCVE AI on May 28, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CodeWhale to version 0.8.26 or later to apply the fixed defaults.
  • If upgrading is not immediately possible, modify configuration to set allow_shell to false and auto_approve to false in config.rs and task_manager.rs, or apply equivalent environment overrides.
  • Restrict task approval to trusted users and regularly audit pending tasks to ensure no malicious prompts are inadvertently approved.

Generated by OpenCVE AI on May 28, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-72w5-pf8h-xfp4 DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files
History

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the task_create tool spawns durable sub-agents that inherit two insecure defaults, allow_shell defaults to true (config.rs:1499: self.allow_shell.unwrap_or(true)) and auto_approve defaults to true (task_manager.rs:297: auto_approve: Some(true)). When a user approves a task_create call (which requires ApprovalRequirement::Required), they approve what appears to be a benign work prompt. However, the spawned sub-agent silently receives unrestricted, unapproved shell access. This vulnerability is fixed in 0.8.26.
Title CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T17:29:11.005Z

Reserved: 2026-05-12T00:51:29.086Z

Link: CVE-2026-45374

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-28T18:16:35.843

Modified: 2026-05-28T18:40:37.990

Link: CVE-2026-45374

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T19:30:16Z

Weaknesses