CVE-2026-45311

CRITICAL

CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval

Title source: cna

Description

CodeWhale is a DeepSeek + MiMo coding agent in terminal. From 0.3.0 to 0.8.23, the run_tests tool executes cargo test in the workspace with ApprovalRequirement::Auto, meaning it runs without any user approval prompt. cargo test compiles and executes arbitrary code: test binaries, build.rs build scripts, and proc macros. While auto-approving test execution is a deliberate design choice, it creates an inconsistency in the security boundary. However, in a malicious repository, test code can execute arbitrary shell commands, exfiltrate credentials, or establish persistence with zero approval. The attack is amplified by AGENTS.md (auto-loaded into the system prompt), which can instruct the model to run tests proactively at session start. This vulnerability is fixed in 0.8.23.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-wx44-2q6h-j6p8

Scores

CVSS v3 9.6

EPSS 0.0037

EPSS Percentile 29.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (4)

crates.io/deepseek-tui 0.3.0 - 0.8.23crates.io

crates.io/deepseek-tui-cli 0.3.0 - 0.8.23crates.io

Hmbown/CodeWhale >= 0.3.0, < 0.8.23

npm/deepseek-tui 0.3.0 - 0.8.23npm

Published May 28, 2026

Tracked Since May 28, 2026