Search criteria
4 vulnerabilities by Hmbown
CVE-2026-45311 (GCVE-0-2026-45311)
Vulnerability from cvelistv5 – Published: 2026-05-28 17:32 – Updated: 2026-06-01 19:09
VLAI
Title
CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval
Summary
CodeWhale is a DeepSeek + MiMo coding agent in terminal. From 0.3.0 to 0.8.23, the run_tests tool executes cargo test in the workspace with ApprovalRequirement::Auto, meaning it runs without any user approval prompt. cargo test compiles and executes arbitrary code: test binaries, build.rs build scripts, and proc macros. While auto-approving test execution is a deliberate design choice, it creates an inconsistency in the security boundary. However, in a malicious repository, test code can execute arbitrary shell commands, exfiltrate credentials, or establish persistence with zero approval. The attack is amplified by AGENTS.md (auto-loaded into the system prompt), which can instruct the model to run tests proactively at session start. This vulnerability is fixed in 0.8.23.
Severity
9.6 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Hmbown/CodeWhale/security/advi… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45311",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T19:09:32.481506Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T19:09:50.099Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-wx44-2q6h-j6p8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CodeWhale",
"vendor": "Hmbown",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.3.0, \u003c 0.8.23"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CodeWhale is a DeepSeek + MiMo coding agent in terminal. From 0.3.0 to 0.8.23, the run_tests tool executes cargo test in the workspace with ApprovalRequirement::Auto, meaning it runs without any user approval prompt. cargo test compiles and executes arbitrary code: test binaries, build.rs build scripts, and proc macros. While auto-approving test execution is a deliberate design choice, it creates an inconsistency in the security boundary. However, in a malicious repository, test code can execute arbitrary shell commands, exfiltrate credentials, or establish persistence with zero approval. The attack is amplified by AGENTS.md (auto-loaded into the system prompt), which can instruct the model to run tests proactively at session start. This vulnerability is fixed in 0.8.23."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T17:32:26.950Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-wx44-2q6h-j6p8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-wx44-2q6h-j6p8"
}
],
"source": {
"advisory": "GHSA-wx44-2q6h-j6p8",
"discovery": "UNKNOWN"
},
"title": "CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45311",
"datePublished": "2026-05-28T17:32:26.950Z",
"dateReserved": "2026-05-11T20:50:30.538Z",
"dateUpdated": "2026-06-01T19:09:50.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45310 (GCVE-0-2026-45310)
Vulnerability from cvelistv5 – Published: 2026-05-28 17:30 – Updated: 2026-05-30 02:09
VLAI
Title
CodeWhale: SSRF via HTTP Redirect Bypass in fetch_url Tool
Summary
CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetch_url tool validates the initial URL's resolved IP address against a restricted-IP blocklist (is_restricted_ip()) to prevent SSRF attacks against internal services (cloud metadata endpoints, localhost, private networks). However, the HTTP client (reqwest) is configured to automatically follow up to 5 redirects (reqwest::redirect::Policy::limited(5)) without re-validating the redirect target against the same SSRF protections. This vulnerability is fixed in 0.8.22.
Severity
7.4 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Hmbown/CodeWhale/security/advi… | x_refsource_CONFIRM |
| https://github.com/Hmbown/DeepSeek-TUI/releases/t… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45310",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-30T02:08:49.211461Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T02:09:17.696Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-96ff-gc8g-wpvg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CodeWhale",
"vendor": "Hmbown",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.22"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.22, the fetch_url tool validates the initial URL\u0027s resolved IP address against a restricted-IP blocklist (is_restricted_ip()) to prevent SSRF attacks against internal services (cloud metadata endpoints, localhost, private networks). However, the HTTP client (reqwest) is configured to automatically follow up to 5 redirects (reqwest::redirect::Policy::limited(5)) without re-validating the redirect target against the same SSRF protections. This vulnerability is fixed in 0.8.22."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T17:30:09.575Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-96ff-gc8g-wpvg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-96ff-gc8g-wpvg"
},
{
"name": "https://github.com/Hmbown/DeepSeek-TUI/releases/tag/v0.8.22",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Hmbown/DeepSeek-TUI/releases/tag/v0.8.22"
}
],
"source": {
"advisory": "GHSA-96ff-gc8g-wpvg",
"discovery": "UNKNOWN"
},
"title": "CodeWhale: SSRF via HTTP Redirect Bypass in fetch_url Tool"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45310",
"datePublished": "2026-05-28T17:30:09.575Z",
"dateReserved": "2026-05-11T20:50:30.538Z",
"dateUpdated": "2026-05-30T02:09:17.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45373 (GCVE-0-2026-45373)
Vulnerability from cvelistv5 – Published: 2026-05-28 17:27 – Updated: 2026-05-30 02:05
VLAI
Title
CodeWhale: SSRF IPV6 bypass
Summary
CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, although SSRF is validated against hostnames that resolve to private IPv6 addresses, when providing the IPV6 in URL as http://[::1], the SSRF defenses do not work. This vulnerability is fixed in 0.8.26.
Severity
7.4 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Hmbown/CodeWhale/security/advi… | x_refsource_CONFIRM |
| https://github.com/Hmbown/DeepSeek-TUI/blob/15f62… | x_refsource_MISC |
| https://github.com/Hmbown/DeepSeek-TUI/releases/t… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45373",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-30T02:05:23.292905Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T02:05:45.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-88gh-2526-gfrr"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CodeWhale",
"vendor": "Hmbown",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.26"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, although SSRF is validated against hostnames that resolve to private IPv6 addresses, when providing the IPV6 in\u200c\u200c URL\u200c as http://[::1], the SSRF defenses do not work. This vulnerability is fixed in 0.8.26."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T17:29:19.592Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-88gh-2526-gfrr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-88gh-2526-gfrr"
},
{
"name": "https://github.com/Hmbown/DeepSeek-TUI/blob/15f62e3e93d842f30b428877819ebc1c8cb96814/crates/tui/src/tools/fetch_url.rs#L321",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Hmbown/DeepSeek-TUI/blob/15f62e3e93d842f30b428877819ebc1c8cb96814/crates/tui/src/tools/fetch_url.rs#L321"
},
{
"name": "https://github.com/Hmbown/DeepSeek-TUI/releases/tag/v0.8.26",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Hmbown/DeepSeek-TUI/releases/tag/v0.8.26"
}
],
"source": {
"advisory": "GHSA-88gh-2526-gfrr",
"discovery": "UNKNOWN"
},
"title": "CodeWhale: SSRF\u200c IPV6 bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45373",
"datePublished": "2026-05-28T17:27:59.055Z",
"dateReserved": "2026-05-12T00:51:29.086Z",
"dateUpdated": "2026-05-30T02:05:45.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45374 (GCVE-0-2026-45374)
Vulnerability from cvelistv5 – Published: 2026-05-28 17:26 – Updated: 2026-05-30 02:04
VLAI
Title
CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files
Summary
CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the task_create tool spawns durable sub-agents that inherit two insecure defaults, allow_shell defaults to true (config.rs:1499: self.allow_shell.unwrap_or(true)) and auto_approve defaults to true (task_manager.rs:297: auto_approve: Some(true)). When a user approves a task_create call (which requires ApprovalRequirement::Required), they approve what appears to be a benign work prompt. However, the spawned sub-agent silently receives unrestricted, unapproved shell access. This vulnerability is fixed in 0.8.26.
Severity
9.6 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Hmbown/CodeWhale/security/advi… | x_refsource_CONFIRM |
| https://github.com/Hmbown/DeepSeek-TUI/releases/t… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45374",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-30T02:04:28.787540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T02:04:52.694Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-72w5-pf8h-xfp4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "CodeWhale",
"vendor": "Hmbown",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.26"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the task_create tool spawns durable sub-agents that inherit two insecure defaults, allow_shell defaults to true (config.rs:1499: self.allow_shell.unwrap_or(true)) and auto_approve defaults to true (task_manager.rs:297: auto_approve: Some(true)). When a user approves a task_create call (which requires ApprovalRequirement::Required), they approve what appears to be a benign work prompt. However, the spawned sub-agent silently receives unrestricted, unapproved shell access. This vulnerability is fixed in 0.8.26."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T17:29:11.005Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-72w5-pf8h-xfp4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-72w5-pf8h-xfp4"
},
{
"name": "https://github.com/Hmbown/DeepSeek-TUI/releases/tag/v0.8.26",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Hmbown/DeepSeek-TUI/releases/tag/v0.8.26"
}
],
"source": {
"advisory": "GHSA-72w5-pf8h-xfp4",
"discovery": "UNKNOWN"
},
"title": "CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45374",
"datePublished": "2026-05-28T17:26:42.979Z",
"dateReserved": "2026-05-12T00:51:29.086Z",
"dateUpdated": "2026-05-30T02:04:52.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}