Description
A flaw has been found in Kilo-Org kilocode up to 7.0.47. This issue affects the function Load of the file packages/opencode/src/config/config.ts of the component Environment Variable Handler. Executing a manipulation of the argument KILO_CONFIG_CONTENT can lead to information disclosure. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Kilo-Org kilocode allows a remote attacker to manipulate the environment variable KILO_CONFIG_CONTENT and cause the config.ts loader to disclose sensitive configuration data. The vulnerability corresponds to Information Exposure (CWE‑200) and Improper Access Control (CWE‑284), and includes an additional unspecified weakness noted as NVD‑CWE‑noinfo. This results in an information disclosure impact rather than denial of service or execution.

Affected Systems

The affected product is Kilo‑Org kilocode, versions up to 7.0.47. No other vendors or products are listed in the CNA data.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk level. The EPSS score of < 1% indicates a very low probability of exploitation at this time, and the vulnerability is not listed in CISA KEV, suggesting limited current exploitation activity. The description states that the attack can be launched remotely and that a published exploit exists, so a remote attacker is able to trigger the disclosure without additional prerequisites.

Generated by OpenCVE AI on May 19, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the KILO_CONFIG_CONTENT environment variable so it cannot be supplied from external sources or untrusted environments.
  • Upgrade to a newer version of kilocode that is past 7.0.47 once the vendor releases an official patch or fix.
  • Implement network segmentation and firewall rules to limit remote access to the service hosting kilocode, and monitor for unusual environment variable modifications.

Generated by OpenCVE AI on May 19, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rpc6-9c4p-j5cg @kilocode/cli Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
History

Wed, 20 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Kilo kilo Code Cli
CPEs cpe:2.3:a:kilo:kilo_code:*:*:*:*:*:visual_studio_code:*:* cpe:2.3:a:kilo:kilo_code_cli:*:*:*:*:*:node.js:*:*
Vendors & Products Kilo kilo Code Cli

Tue, 19 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:kilo:kilo_code:*:*:*:*:*:visual_studio_code:*:*

Mon, 18 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 18 May 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Kilo
Kilo kilo Code
Vendors & Products Kilo
Kilo kilo Code

Sun, 17 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Kilo-Org kilocode up to 7.0.47. This issue affects the function Load of the file packages/opencode/src/config/config.ts of the component Environment Variable Handler. Executing a manipulation of the argument KILO_CONFIG_CONTENT can lead to information disclosure. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Kilo-Org kilocode Environment Variable config.ts load information disclosure
First Time appeared Kilo-org
Kilo-org kilocode
Weaknesses CWE-200
CWE-284
CPEs cpe:2.3:a:kilo-org:kilocode:*:*:*:*:*:*:*:*
Vendors & Products Kilo-org
Kilo-org kilocode
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Kilo Kilo Code Kilo Code Cli
Kilo-org Kilocode
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-18T17:51:42.789Z

Reserved: 2026-05-17T08:55:27.777Z

Link: CVE-2026-8766

cve-icon Vulnrichment

Updated: 2026-05-18T15:52:31.725Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-17T23:17:02.640

Modified: 2026-05-20T17:34:04.830

Link: CVE-2026-8766

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T23:00:13Z

Weaknesses