Description
rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command beginning with an allowed prefix such as git could hide a second command behind one of these constructs. rtk rewrite returned exit code 0, causing the Claude hook to emit permissionDecision: "allow". The rewritten command still contained the hidden command, so it ran without the user confirmation or denial that the permission rules were intended to enforce. This vulnerability is fixed in 0.42.2.
Published: 2026-06-23
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the command rewriting logic of rtk, which omits splitting or rejecting several shell constructs that Bash treats as command execution boundaries. This allows a user‑supplied command that starts with a permitted keyword such as git to conceal a hidden command behind constructs like backticks or nested execution. The rewrite component returned a zero exit code, causing the system to automatically grant permission and execute the concealed command. The effect is a bypass of the permission guard, enabling arbitrary command execution without user confirmation.

Affected Systems

Any installation of the rtk product from the rtk‑ai vendor running a version older than 0.42.2 is vulnerable. The affected component is the rewrite module responsible for generating LLM context from user commands.

Risk and Exploitability

The CVSS score of 7.8 indicates moderate‑to‑high severity, and while the EPSS score is not available, the absence from the KEV catalog suggests no widespread exploitation yet. Nevertheless, an attacker who can supply commands to the rtk LLM interface can trigger this flaw, achieving privilege escalation on the host running rtk. The attack vector is inferred to be remote or local command input to the rewrite service.

Generated by OpenCVE AI on June 24, 2026 at 10:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rtk to version 0.42.2 or later, which patches the CWE-863 privilege decision bypass.
  • If an upgrade is not immediately possible, disable the auto‑allow feature in rtk’s configuration or enforce a stricter whitelist to prevent nested shell separator usage.
  • Monitor rtk logs for unexpected command execution patterns and audit permission splits for hidden commands.

Generated by OpenCVE AI on June 24, 2026 at 10:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Rtk-ai
Rtk-ai rtk
Vendors & Products Rtk-ai
Rtk-ai rtk

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command beginning with an allowed prefix such as git could hide a second command behind one of these constructs. rtk rewrite returned exit code 0, causing the Claude hook to emit permissionDecision: "allow". The rewritten command still contained the hidden command, so it ran without the user confirmation or denial that the permission rules were intended to enforce. This vulnerability is fixed in 0.42.2.
Title rtk: Permission-gate bypass in rtk rewrite auto-allow via unsplit shell separators
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T14:30:40.984Z

Reserved: 2026-06-15T19:04:14.456Z

Link: CVE-2026-54555

cve-icon Vulnrichment

Updated: 2026-06-24T14:30:32.307Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:05:42Z

Weaknesses