GHSA-72w5-pf8h-xfp4: DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files
Summary
DeepSeek TUI has a security flaw where the `task_create` tool (which spawns sub-agents that perform work independently) defaults to allowing shell access (`allow_shell=true`) and auto-approving commands (`auto_approve=true`) without explicit user permission. An attacker can hide malicious instructions in project files, and when a user approves what looks like a simple task (like 'fix TODOs'), the spawned sub-agent silently executes the attacker's shell commands with no additional approval prompt.
Solution / Mitigation
The source text provides explicit mitigations: (1) Change `config.rs:1499` to default `allow_shell` to `false` instead of `true` by replacing `self.allow_shell.unwrap_or(true)` with `self.allow_shell.unwrap_or(false)`. (2) Change `task_manager.rs:297` to default `auto_approve` to `None` instead of `Some(true)`, so it does not inherit the session setting. (3) When the model requests `task_create` with `allow_shell=true`, display that fact in the approval prompt so the user knows they are granting shell access.
Vulnerability Details
EPSS: 0.0%
Yes
May 14, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2026-30308: In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe comman
CVE-2026-40087: LangChain is a framework for building agents and LLM-powered applications. Prior to 0.3.84 and 1.2.28, LangChain's f-str
Original source: https://github.com/advisories/GHSA-72w5-pf8h-xfp4
First tracked: May 14, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 95%