CVE-2026-45792
Received Received - Intake
RTK Command Output Manipulation via Malicious Filters

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
rtk filters and compresses command outputs before they reach your LLM context. Prior to 0.32.0, RTK (Rust Token Killer) improperly trusts project-local configuration files. RTK automatically loads .rtk/filters.toml from the working directory with highest priority and without user notification. An attacker can place a malicious filter file in a repository to apply regex-based modifications (e.g., strip_lines_matching) to shell command output before it is shown to the LLM, without any indication that the output has been modified. This allows attackers to selectively suppress or alter command output (including file contents, diffs, and security scan results) without detection, potentially concealing malicious code during AI-assisted development or review. This vulnerability is fixed in 0.32.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-45792
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
rtk-ai rtk 0.32.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in RTK (Rust Token Killer) prior to version 0.32.0 involves the tool improperly trusting project-local configuration files, specifically the .rtk/filters.toml file. RTK automatically loads this filter file from the working directory with the highest priority and without notifying the user.

An attacker can place a malicious filter file in a repository that applies regex-based modifications to shell command outputs before they are shown to the language model (LLM). This can silently alter or suppress command outputs such as file contents, diffs, or security scan results without any indication that the output has been modified.

This allows attackers to conceal malicious code during AI-assisted development or code review processes, making it difficult to detect tampering or security issues.

Impact Analysis

This vulnerability can impact you by allowing attackers to silently modify or suppress important command outputs that are used during AI-assisted development or review. This means malicious code or security vulnerabilities can be hidden from detection tools or developers.

Such tampering can lead to compromised code integrity, undetected security flaws, and potentially the introduction of harmful code into your projects without your knowledge.

Because the malicious filters operate without user notification, you may trust the outputs shown to the LLM, leading to false confidence in the security and correctness of your code.

Detection Guidance

This vulnerability involves RTK automatically loading project-local filter files (.rtk/filters.toml) from the working directory without user notification, which can silently modify command outputs. To detect if this vulnerability is present, you can check if your RTK version is prior to 0.32.0 and whether untrusted filters are being loaded.

You can use the following RTK commands to manage and inspect trust relationships for filters:

  • rtk trust - to explicitly trust a project-local filter file.
  • rtk untrust - to remove trust from a filter file.
  • rtk trust --list - to list currently trusted filters.

Additionally, checking the presence and contents of .rtk/filters.toml files in your working directories and verifying their trust status can help detect potential malicious filters.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade RTK to version 0.32.0 or later, where the issue is fixed by blocking untrusted project-local filters by default.

After upgrading, ensure that untrusted filters are not loaded silently by default. Use the new trust management commands to explicitly trust only verified filter files:

  • Use 'rtk trust' to trust safe filter files.
  • Use 'rtk untrust' to remove trust from suspicious or unknown filters.

Review and audit any existing .rtk/filters.toml files in your projects to ensure they are not maliciously modifying command outputs.

For automated environments like CI pipelines, configure the environment variable RTK_TRUST_PROJECT_FILTERS=1 carefully along with additional CI environment variables to prevent injection attacks.

Compliance Impact

This vulnerability allows attackers to silently modify or suppress command output, including file contents, diffs, and security scan results, without detection. Such tampering can conceal malicious code during AI-assisted development or review, potentially impacting the integrity and authenticity of data.

Because the vulnerability undermines data integrity and authenticity, it could negatively affect compliance with standards and regulations that require accurate and untampered data handling, such as GDPR and HIPAA. These regulations mandate protection of data integrity and transparency, and the silent modification of outputs could lead to violations if malicious alterations go undetected.

The vulnerability is associated with CWE-345 (Insufficient Verification of Data Authenticity) and CWE-426 (Untrusted Search Path), highlighting risks related to trust and verification that are critical for regulatory compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45792. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart