216.73.216.170

CVE-2026-45374

· Published 28/05/2026 18:16 · Modified 28/05/2026 18:40

Labels: CVE-2026-45374 2026-05-28CVE-2026-45374CWE-94[email protected]

Essential information

Published
28/05/2026 18:16
Modified
28/05/2026 18:40
Author
Creator
CVSS
9.6 CRITICAL (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS metrics

Description

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the task_create tool spawns durable sub-agents that inherit two insecure defaults, allow_shell defaults to true (config.rs:1499: self.allow_shell.unwrap_or(true)) and auto_approve defaults to true (task_manager.rs:297: auto_approve: Some(true)). When a user approves a task_create call (which requires ApprovalRequirement::Required), they approve what appears to be a benign work prompt. However, the spawned sub-agent silently receives unrestricted, unapproved shell access. This vulnerability is fixed in 0.8.26.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
codewhale / codewhale cpe:2.3:a:codewhale:codewhale:<0.8.26:*:*:*:*:*:*:*

References