{"data":{"id":"bddf586a-c17e-416d-9ebc-cc234c620f62","title":"GHSA-72w5-pf8h-xfp4: DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files","summary":"DeepSeek TUI has a security flaw where the `task_create` tool (which spawns sub-agents that perform work independently) defaults to allowing shell access (`allow_shell=true`) and auto-approving commands (`auto_approve=true`) without explicit user permission. An attacker can hide malicious instructions in project files, and when a user approves what looks like a simple task (like 'fix TODOs'), the spawned sub-agent silently executes the attacker's shell commands with no additional approval prompt.","solution":"The source text provides explicit mitigations: (1) Change `config.rs:1499` to default `allow_shell` to `false` instead of `true` by replacing `self.allow_shell.unwrap_or(true)` with `self.allow_shell.unwrap_or(false)`. (2) Change `task_manager.rs:297` to default `auto_approve` to `None` instead of `Some(true)`, so it does not inherit the session setting. (3) When the model requests `task_create` with `allow_shell=true`, display that fact in the approval prompt so the user knows they are granting shell access.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-72w5-pf8h-xfp4","publishedAt":"2026-05-14T20:29:52.000Z","cveId":"CVE-2026-45374","cweIds":null,"cvssScore":null,"cvssSeverity":"critical","severity":"critical","attackType":["prompt_injection"],"issueType":"vulnerability","affectedPackages":["deepseek-tui@< 0.8.26 (fixed: 0.8.26)"],"affectedVendors":[],"affectedVendorsRaw":["DeepSeek"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-14T20:29:52.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}