Command Execution Vulnerability in RTK AI by RTK
CVE-2026-54555

7.8HIGH

Key Information:

Vendor: Rtk-ai
Status: Rtk
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-54555?

The RTK AI product, prior to version 0.42.2, has a vulnerability within its command processing mechanism that allows potentially harmful commands to be executed without proper user validation. The issue arises because the permission splitter fails to correctly handle certain shell constructs, permitting a hidden command to be executed when an allowed prefix is present. This flaw can lead to unauthorized commands running silently in the background, thereby bypassing the designed security protocols intended for user authorization.

Affected Version(s)

rtk < 0.42.2

References

https://github.com/rtk-ai/rtk/security/advisories/GHSA-7g...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 15, 2026

CVE-2026-54555 Data

JSON

Rtk-ai

What is CVE-2026-54555?

Affected Version(s)

References

CVSS V3.1

Timeline