Improper Trust in Local Configuration Files in Rust Token Killer
CVE-2026-45792

6.9MEDIUM

Key Information:

Vendor

Rtk-ai

Status
Rtk
Vendor
CVE Published:
23 June 2026

What is CVE-2026-45792?

Rust Token Killer prior to version 0.32.0 allows attackers to exploit improperly trusted project-local configuration files. An adversary can introduce a malicious .rtk/filters.toml file into a repository, enabling them to execute regex-based modifications on command outputs without user notification. This manipulation can conceal critical information such as security scan results and file contents, effectively hiding malicious code during AI-assisted development processes. Users are urged to upgrade to version 0.32.0 to mitigate this risk.

Affected Version(s)

rtk < 0.32.0

References

https://github.com/rtk-ai/rtk/security/advisories/GHSA-fv...
x_refsource_CONFIRM
https://github.com/rtk-ai/rtk/pull/623
x_refsource_MISC
https://github.com/rtk-ai/rtk/pull/625
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.