Description
rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command beginning with an allowed prefix such as git could hide a second command behind one of these constructs. rtk rewrite returned exit code 0, causing the Claude hook to emit permissionDecision: "allow". The rewritten command still contained the hidden command, so it ran without the user confirmation or denial that the permission rules were intended to enforce. This vulnerability is fixed in 0.42.2.
Published: 2026-06-23
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the command rewriting logic of rtk, which omits splitting or rejecting several shell constructs that Bash treats as command execution boundaries. This allows a user‑supplied command that starts with a permitted keyword such as git to conceal a hidden command behind constructs like backticks or nested execution. The rewrite component returned a zero exit code, causing the system to automatically grant permission and execute the concealed command. The effect is a bypass of the permission guard, enabling arbitrary command execution without user confirmation.

Affected Systems

Any installation of the rtk product from the rtk‑ai vendor running a version older than 0.42.2 is vulnerable. The affected component is the rewrite module responsible for generating LLM context from user commands.

Risk and Exploitability

The CVSS score of 7.8 indicates moderate‑to‑high severity, and while the EPSS score is not available, the absence from the KEV catalog suggests no widespread exploitation yet. Nevertheless, an attacker who can supply commands to the rtk LLM interface can trigger this flaw, achieving privilege escalation on the host running rtk. The attack vector is inferred to be remote or local command input to the rewrite service.

Generated by OpenCVE AI on June 24, 2026 at 10:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade rtk to version 0.42.2 or later, which patches the CWE-863 privilege decision bypass.
  • If an upgrade is not immediately possible, disable the auto‑allow feature in rtk’s configuration or enforce a stricter whitelist to prevent nested shell separator usage.
  • Monitor rtk logs for unexpected command execution patterns and audit permission splits for hidden commands.

Generated by OpenCVE AI on June 24, 2026 at 10:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command beginning with an allowed prefix such as git could hide a second command behind one of these constructs. rtk rewrite returned exit code 0, causing the Claude hook to emit permissionDecision: "allow". The rewritten command still contained the hidden command, so it ran without the user confirmation or denial that the permission rules were intended to enforce. This vulnerability is fixed in 0.42.2.
Title rtk: Permission-gate bypass in rtk rewrite auto-allow via unsplit shell separators
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T19:05:20.849Z

Reserved: 2026-06-15T19:04:14.456Z

Link: CVE-2026-54555

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T10:15:05Z

Weaknesses