CVE-2026-54555 in rtk
Summary
by MITRE • 06/23/2026
rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command beginning with an allowed prefix such as git could hide a second command behind one of these constructs. rtk rewrite returned exit code 0, causing the Claude hook to emit permissionDecision: "allow". The rewritten command still contained the hidden command, so it ran without the user confirmation or denial that the permission rules were intended to enforce. This vulnerability is fixed in 0.42.2.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/23/2026
This vulnerability represents a critical authorization bypass flaw in the rtk system's command processing pipeline where permission controls are inadequately enforced during shell command parsing and rewriting. The issue stems from insufficient validation of shell constructs that can execute commands in bash, creating a pathway for malicious command injection through seemingly benign prefixes like git. The root cause lies in the permission splitter's failure to conservatively handle various shell metacharacters and execution boundaries that bash interprets as command delimiters or nested execution points. Prior to version 0422 the system would process commands containing hidden secondary commands without proper validation, allowing attackers to bypass intended access controls by leveraging shell syntax that enables command chaining or substitution.
The technical flaw manifests when a command starts with an allowed prefix such as git but contains embedded shell constructs that trigger additional command execution. These constructs include but are not limited to backticks, dollar sign expressions, and other bash metacharacters that enable command substitution or nested execution. The system's rewrite mechanism would return exit code 0 indicating successful processing while the permission decision was incorrectly marked as "allow" in the Claude hook. This false positive occurred because the validation logic failed to recognize that the rewritten command still contained unauthorized embedded commands, effectively rendering the permission enforcement mechanism useless for detecting and blocking malicious input.
The operational impact of this vulnerability is severe as it completely undermines the intended security controls designed to prevent unauthorized command execution. An attacker could craft commands that appear legitimate due to their prefix but secretly contain additional harmful operations, bypassing all user confirmation mechanisms and access control policies. This creates a scenario where privileged system operations could be executed without proper authorization or audit trails, potentially leading to data exfiltration, system compromise, or privilege escalation attacks. The vulnerability is particularly dangerous because it operates silently in the background, with no indication that unauthorized commands were processed or executed.
The fix implemented in version 0422 addresses this by strengthening the permission splitter's validation logic to conservatively handle all shell constructs that could enable command execution or substitution. This change ensures that any command containing potentially dangerous shell metacharacters will be rejected rather than silently processed, preventing the bypass of authorization controls. The mitigation strategy involves comprehensive parsing and sanitization of input commands to identify and block all forms of command injection through shell syntax, aligning with security best practices for preventing command injection vulnerabilities as outlined in CWE-78 and related attack patterns.
This vulnerability demonstrates a classic example of insufficient input validation and privilege separation in shell-based systems, similar to attack vectors described in MITRE ATT&CK framework under T1059.001 for command and scripting interpreter and T1566 for credential access through privilege escalation techniques. The implementation of proper shell escaping and conservative parsing practices would prevent such issues from occurring in future deployments, ensuring that all commands undergo rigorous validation before execution regardless of their apparent legitimacy or prefix.