Detection Guidance

This vulnerability involves the rtk tool's permission splitter failing to properly handle certain shell constructs, allowing hidden commands to execute without user confirmation.

Detection involves monitoring for commands that use allowed prefixes (e.g., git) combined with shell constructs such as newlines, background operators (&), or command substitutions ($() or backticks) that could hide additional commands.

Since the issue is in the rewriting and permission decision process of rtk, you can detect exploitation attempts by examining logs or outputs of rtk rewrite commands for unexpected exit codes or hidden commands.

• Check rtk rewrite exit codes: commands that should be denied but return 0 (auto-allow) may indicate exploitation.
• Search for shell commands containing allowed prefixes followed by suspicious shell constructs like newlines, &, $(), or backticks.
• Example command to detect suspicious commands in logs or scripts: grep -E 'git.*( |&|\$\(|`)' /path/to/command/logs

Useful 0 Not Useful 0

Executive Summary

CVE-2026-54555 is a permission-gate bypass vulnerability in the rtk tool that affects versions up to 0.40.0 (and certain release candidates). The issue arises because the permission splitter in rtk does not properly handle certain shell constructs that Bash treats as command execution boundaries, such as newlines, background operators (&), and command substitutions ($() or backticks).

This flaw allows a command starting with an allowed prefix (like "git") to hide a second, potentially malicious command behind these shell constructs. The rtk rewrite function incorrectly returns an exit code of 0, which causes the Claude hook to automatically allow the command without user confirmation or denial, bypassing the intended permission rules.

As a result, the hidden command executes without the expected security checks, enabling attackers to run unauthorized commands.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized command execution within environments using the rtk tool as a Claude Code PreToolUse hook. Attackers can exploit it to run hidden commands without user approval, potentially causing severe impacts such as file deletion, data exfiltration, or other malicious activities.

Because the permission rules are bypassed, users or systems relying on rtk for command authorization may unknowingly allow harmful commands to execute, compromising system integrity, confidentiality, and availability.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows hidden commands to be executed without user confirmation or denial, bypassing intended permission rules. Such unauthorized command execution can lead to data exfiltration or deletion, which may compromise the confidentiality, integrity, and availability of sensitive data.

Because of this, organizations using affected versions of rtk may face challenges in maintaining compliance with standards and regulations like GDPR or HIPAA, which require strict controls over data access and processing to protect personal and sensitive information.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in rtk version 0.42.2. The immediate mitigation step is to upgrade rtk to version 0.42.2 or later.

The fix ensures that the permission checker properly splits command segments on newlines and background operators outside quotes, treats command substitutions as non-attestable for auto-allow, and avoids false positives for redirect operators.

Until the upgrade is applied, consider restricting or monitoring usage of rtk as a Claude Code PreToolUse hook, especially commands with allowed prefixes that may hide additional commands.

Useful 0 Not Useful 0