HarborGuard / CVE
Back to search
CRITICALCVE-2026-45374Published Modified CNA GitHub_M

CVE-2026-45374: CodeWhale: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the task_create tool spawns durable sub-agents that inherit two insecure defaults, allow_shell defaults to true (config.rs:1499: self.allow_shell.unwrap_or(true)) and auto_approve defaults to true (task_manager.rs:297: auto_approve: Some(true)). When a user approves a task_create call (which requires ApprovalRequirement::Required), they approve what appears to be a benign work prompt. However, the spawned sub-agent silently receives unrestricted, unapproved shell access. This vulnerability is fixed in 0.8.26.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A prompt-injection-driven remote code execution vulnerability exists in CodeWhale, a DeepSeek and MiMo-powered coding agent that runs in the terminal. An attacker can embed malicious instructions inside project files (such as source code, README files, or configuration files) that the agent reads; when a user approves what looks like a routine task_create call, the spawned sub-agent silently inherits allow_shell=true and auto_approve=true, giving it unrestricted, unapproved shell access on the host. Successful exploitation gives the attacker full command execution on the user's machine without any further confirmation step. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-45374 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including GitHub_M) within minutes of publication and matched against all customer images, including custom-built images that bundle CodeWhale or its dependencies. Any image containing a CodeWhale version below 0.8.26 is flagged immediately on the next scan cycle.

Available
Triage

HarborGuard scores this CVE at CVSS 9.6 Critical and surfaces it at the top of the affected image's finding list; per-environment compliance policy weighting is applied so teams with stricter policies see it as a blocking finding. Triage routing is available to direct the alert to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker delivers the malicious prompt payload (embedded in project files) to a victim who fetches or opens them over the network, so the attack reaches the agent via network-accessible content.

  • AuthenticationNot required

    No account or credential is needed; any unauthenticated party who can place or influence a file the user opens can trigger the vulnerability.

  • Victim interactionRequired

    The user must approve a task_create call that appears benign, making this a social-engineering vector where the victim is the unwitting approver.

  • Attack complexityDetail

    Attack complexity is low; the exploit requires no race conditions or special environmental conditions and is reliably reproducible once a malicious prompt is in a file the agent processes.

Blast Radius

  • The spawned sub-agent executes arbitrary shell commands on the host without further user confirmation, giving the attacker full control of the local environment.
  • Confidential files, secrets, API keys, and credentials stored on the filesystem are readable and exfiltrable.
  • The attacker can modify, overwrite, or delete any file accessible to the user running CodeWhale, including source code and build artifacts.
  • The process can crash or permanently disrupt the local development environment and any services it manages.

How HarborGuard Handles This

Available on HarborGuard: because no fix version exists as of the publication date (2026-05-28), the advisory is re-evaluated on every ingest cycle so that a patched-image rebuild becomes available the moment the upstream maintainer releases version 0.8.26 or later. In the meantime, customers can apply compensating controls through HarborGuard policy: flag any image bundling CodeWhale below 0.8.26 as non-compliant, gate pipeline promotion on that policy, and use network-policy isolation to restrict the container's outbound egress so that exfiltration paths are narrowed. For environments where CodeWhale is invoked on untrusted repositories, consider a feature-flag gate that disables task_create entirely until the patch is available. For customers with auto-remediation enabled, the rebuild, regression run, and PR flow will trigger automatically once an upstream fix is confirmed, with median time from CVE publication to merged patch PR for critical-severity issues around 90 minutes in those environments.

See how HarborGuard automates this

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • Hmbown / CodeWhale
    < 0.8.26
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References