⚠️ Note to maintainer: I attempted to reach you privately via the email in SECURITY.md—it appears to be incorrect. I also attempted to connect on LinkedIn with no response. I am raising this as a public issue as a last resort after exhausting private channels, per responsible disclosure norms. I am happy to move this to a private channel (GitHub Security Advisory, email, DM) if you prefer.
Reported by: Katriel Moses
Affected version: v4.x and earlier
Report date: 18 April 2026
Total issues: 5 (3 Critical, 2 High)
Summary
A security audit of cavekit identified five vulnerabilities spanning Remote Code Execution, Prompt Injection, and Broken Access Control. All were reproduced locally against an isolated installation.
Vulnerability Details
CKVULN-01 (CRITICAL): Unsanitized shell metacharacters in frontier filenames allow arbitrary command execution in the agent's tmux pane. Remediation: Whitelist filenames to [a-zA-Z0-9_-].
CKVULN-02 (CRITICAL): Lack of prompt boundaries allows attackers to bypass security reviews via git diff comments. Remediation: Use role separation (System vs. User) and clear delimiters.
CKVULN-03 (CRITICAL): The command gate evaluates bash comments (#) as instructions, allowing safe-looking strings to execute dangerous commands. Remediation: Strip bash comments before LLM classification.
CKVULN-04 (HIGH): Missing origin validation on the WebSocket server enables event injection via DNS rebinding. Remediation: Validate the Origin header against an allowlist.
CKVULN-05 (HIGH): The server follows unverified symlinks, allowing arbitrary file reads (e.g., /etc/passwd). Remediation: Resolve paths with fs.realpathSync() and verify they stay within the screen directory.
Disclosure Timeline
18 Apr 2026: Full report prepared.
19–21 Apr 2026: Private outreach attempted (email, LinkedIn); no response.
22 Apr 2026: Public GitHub issue raised as a last resort.
A full written report with proof-of-concept evidence is available. I am happy to share it privately or move this to a GitHub Security Advisory.
Requesting acknowledgement within 7 days, and credit to Katriel Moses in any release notes or advisory.
Reported by: Katriel Moses
Affected version: v4.x and earlier
Report date: 18 April 2026
Total issues: 5 (3 Critical, 2 High)
Summary
A security audit of cavekit identified five vulnerabilities spanning Remote Code Execution, Prompt Injection, and Broken Access Control. All were reproduced locally against an isolated installation.
Vulnerability Details
CKVULN-01 (CRITICAL): Unsanitized shell metacharacters in frontier filenames allow arbitrary command execution in the agent's tmux pane. Remediation: Whitelist filenames to [a-zA-Z0-9_-].
CKVULN-02 (CRITICAL): Lack of prompt boundaries allows attackers to bypass security reviews via git diff comments. Remediation: Use role separation (System vs. User) and clear delimiters.
CKVULN-03 (CRITICAL): The command gate evaluates bash comments (#) as instructions, allowing safe-looking strings to execute dangerous commands. Remediation: Strip bash comments before LLM classification.
CKVULN-04 (HIGH): Missing origin validation on the WebSocket server enables event injection via DNS rebinding. Remediation: Validate the Origin header against an allowlist.
CKVULN-05 (HIGH): The server follows unverified symlinks, allowing arbitrary file reads (e.g., /etc/passwd). Remediation: Resolve paths with fs.realpathSync() and verify they stay within the screen directory.
Disclosure Timeline
18 Apr 2026: Full report prepared.
19–21 Apr 2026: Private outreach attempted (email, LinkedIn); no response.
22 Apr 2026: Public GitHub issue raised as a last resort.
A full written report with proof-of-concept evidence is available. I am happy to share it privately or move this to a GitHub Security Advisory.
Requesting acknowledgement within 7 days, and credit to Katriel Moses in any release notes or advisory.