CVE-2026-45311

CRITICAL 9.6

CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval

CVSS Score

9.6

EPSS Score

0.0%

EPSS Percentile

14th

CodeWhale is a DeepSeek + MiMo coding agent in terminal. From 0.3.0 to 0.8.23, the run_tests tool executes cargo test in the workspace with ApprovalRequirement::Auto, meaning it runs without any user approval prompt. cargo test compiles and executes arbitrary code: test binaries, build.rs build scripts, and proc macros. While auto-approving test execution is a deliberate design choice, it creates an inconsistency in the security boundary. However, in a malicious repository, test code can execute arbitrary shell commands, exfiltrate credentials, or establish persistence with zero approval. The attack is amplified by AGENTS.md (auto-loaded into the system prompt), which can instruct the model to run tests proactively at session start. This vulnerability is fixed in 0.8.23.

CWE	CWE-94
Vendor	hmbown
Product	codewhale
Published	May 28, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for hmbown codewhale

Be the first to know when new critical vulnerabilities affecting hmbown codewhale are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Hmbown / CodeWhale

>= 0.3.0, < 0.8.23

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Hmbown/CodeWhale/security/advisories/GHSA-wx44-2q6h-j6p8