CVE-2026-30311
OS Command Injection in Ridvay Code Auto-Approval Module Enables RCE
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ridvay | auto-approval_module | to 0.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an attacker to execute arbitrary commands remotely on the affected system without any user interaction. This Remote Code Execution can lead to unauthorized access, data theft, system compromise, or further attacks within the network. Since the whitelist mechanism is bypassed, the system's intended security controls are ineffective, increasing the risk of exploitation.
Can you explain this vulnerability to me?
This vulnerability exists in Ridvay Code's command auto-approval module, which is designed to automatically approve certain commands based on a whitelist mechanism. However, the module uses fragile regular expressions to parse command structures and fails to properly handle Shell command substitution techniques such as $(...) and backticks. An attacker can exploit this by crafting a command like git log --grep="$(malicious_command)", which the system mistakenly identifies as a safe git operation and automatically approves. As a result, the malicious code inside the command substitution is executed by the underlying Shell, leading to Remote Code Execution without any user interaction.