Description
A flaw has been found in Kilo-Org kilocode up to 7.0.47. This issue affects the function Load of the file packages/opencode/src/config/config.ts of the component Environment Variable Handler. Executing a manipulation of the argument KILO_CONFIG_CONTENT can lead to information disclosure. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Kilo-Org kilocode allows a remote attacker to manipulate the environment variable KILO_CONFIG_CONTENT and cause the config.ts loader to disclose sensitive configuration data. The vulnerability corresponds to Information Exposure (CWE‑200) and Improper Access Control (CWE‑284), resulting in an information disclosure impact rather than denial of service or execution.

Affected Systems

The affected product is Kilo‑Org kilocode, versions up to 7.0.47. No other vendors or products are listed in the CNA data.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk level. The EPSS score is not available, and the vulnerability is not listed in CISA KEV, suggesting limited current exploitation activity. The description states that the attack can be launched remotely and that a published exploit exists, so a remote attacker is able to trigger the disclosure without additional prerequisites.

Generated by OpenCVE AI on May 17, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict the KILO_CONFIG_CONTENT environment variable so it cannot be supplied from external sources or untrusted environments.
  • Upgrade to a newer version of kilocode that is past 7.0.47 once the vendor releases an official patch or fix.
  • Implement network segmentation and firewall rules to limit remote access to the service hosting kilocode, and monitor for unusual environment variable modifications.

Generated by OpenCVE AI on May 17, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 22:30:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Kilo-Org kilocode up to 7.0.47. This issue affects the function Load of the file packages/opencode/src/config/config.ts of the component Environment Variable Handler. Executing a manipulation of the argument KILO_CONFIG_CONTENT can lead to information disclosure. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Kilo-Org kilocode Environment Variable config.ts load information disclosure
First Time appeared Kilo-org
Kilo-org kilocode
Weaknesses CWE-200
CWE-284
CPEs cpe:2.3:a:kilo-org:kilocode:*:*:*:*:*:*:*:*
Vendors & Products Kilo-org
Kilo-org kilocode
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Kilo-org Kilocode
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T22:15:08.997Z

Reserved: 2026-05-17T08:55:27.777Z

Link: CVE-2026-8766

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T23:17:02.640

Modified: 2026-05-17T23:17:02.640

Link: CVE-2026-8766

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T23:30:12Z

Weaknesses