Kitty has an arbitrary file overwrite via symlink following in `kitten dnd` remote drop staging
CVE-2026-54056
What is CVE-2026-54056?
Kitty is a cross-platform GPU based terminal. In versions 0.47.0 and 0.47.1, kitten dnd can allow a malicious remote drag-and-drop source to overwrite or truncate arbitrary files writable by the local kitty user. Remote text/uri-list drops are staged in a temporary directory, but on case-sensitive filesystems duplicate remote basenames are not de-duplicated. An attacker can first create a staged symlink and then send a same-name regular-file entry. The regular-file write uses utils.CreateAt() / openat(O_RDWR|O_CREAT|O_TRUNC) without O_NOFOLLOW, so it follows the attacker-created symlink and writes outside the staging directory before final overwrite confirmation runs. This appears related in class to the file-transfer symlink advisory, but it is a different bug: it affects kitten dnd remote drag-and-drop staging, uses different vulnerable code (kittens/dnd/drop.go and tools/utils/file_at_fd.go), and reproduces on commit 4aa4a5c0567a92553a8c20a88a4352da637fca5d, after the file-transfer O_NOFOLLOW fix. Version 0.47.2 patches the issue.
Affected Version(s)
kitty >= 0.47.0, < 0.47.2