CVE-2026-54555
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
A vulnerability in rtk (versions before 0.42.2) allowed bypassing the permission control mechanism by hiding a second command within Bash shell constructs that were not properly split or rejected. A command starting with an allowed prefix (e.g., 'git') could contain a hidden command that executed without required user authorization.
Risk Assessment
An attacker can execute unauthorized commands on the system, bypassing security policies and user confirmation mechanisms. This poses a serious risk of privilege escalation and uncontrolled access to system resources.
Recommendation
Immediately update rtk to version 0.42.2 or later, which includes a fix that properly splits and rejects dangerous Bash shell constructs.
Original NVD description (English source)
rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.42.2, the permission splitter did not conservatively split or reject several shell constructs that Bash treats as command execution boundaries or nested execution. As a result, a command beginning with an allowed prefix such as git could hide a second command behind one of these constructs. rtk rewrite returned exit code 0, causing the Claude hook to emit permissionDecision: "allow". The rewritten command still contained the hidden command, so it ran without the user confirmation or denial that the permission rules were intended to enforce. This vulnerability is fixed in 0.42.2.

