CVE-2026-54555

rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command beginning with an allowed prefix such as git could hide a second command behind one of these constructs. rtk rewrite returned exit code 0, causing the Claude hook to emit permissionDecision: "allow". The rewritten command still contained the hidden command, so it ran without the user confirmation or denial that the permission rules were intended to enforce. This vulnerability is fixed in 0.42.2.

CVSS v3 7.8 HIGH

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/rtk-ai/rtk/security/advisories/GHSA-7gxq-fvfc-g327
https://github.com/rtk-ai/rtk/security/advisories/GHSA-7gxq-fvfc-g327

Configurations

No configuration.

History

24 Jun 2026, 16:16

Type	Values Removed	Values Added
References	~~() https://github.com/rtk-ai/rtk/security/advisories/GHSA-7gxq-fvfc-g327 -~~	() https://github.com/rtk-ai/rtk/security/advisories/GHSA-7gxq-fvfc-g327 -

23 Jun 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-23 20:16

Updated : 2026-06-24 16:16

NVD link : CVE-2026-54555

Mitre link : CVE-2026-54555

CVE.ORG link : CVE-2026-54555

JSON object : View

Products Affected

No product.

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2026-54555", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-54555", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-06-24T14:29:21.375030Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "rtk-ai", "product": "rtk", "versions": [{"status": "affected", "version": "< 0.42.2"}]}]}], "published": "2026-06-23T20:16:49.737", "references": [{"url": "https://github.com/rtk-ai/rtk/security/advisories/GHSA-7gxq-fvfc-g327", "source": "security-advisories@github.com"}, {"url": "https://github.com/rtk-ai/rtk/security/advisories/GHSA-7gxq-fvfc-g327", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Received", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command beginning with an allowed prefix such as git could hide a second command behind one of these constructs. rtk rewrite returned exit code 0, causing the Claude hook to emit permissionDecision: \"allow\". The rewritten command still contained the hidden command, so it ran without the user confirmation or denial that the permission rules were intended to enforce. This vulnerability is fixed in 0.42.2."}], "lastModified": "2026-06-24T16:16:32.693", "sourceIdentifier": "security-advisories@github.com"}