CVE-2026-45311: CWE-94: Improper Control of Generation of Code ('Code Injection') in Hmbown CodeWhale
CodeWhale is a DeepSeek + MiMo coding agent in terminal. From 0.3.0 to 0.8.23, the run_tests tool executes cargo test in the workspace with ApprovalRequirement::Auto, meaning it runs without any user approval prompt. cargo test compiles and executes arbitrary code: test binaries, build.rs build scripts, and proc macros. While auto-approving test execution is a deliberate design choice, it creates an inconsistency in the security boundary. However, in a malicious repository, test code can execute arbitrary shell commands, exfiltrate credentials, or establish persistence with zero approval. The attack is amplified by AGENTS.md (auto-loaded into the system prompt), which can instruct the model to run tests proactively at session start. This vulnerability is fixed in 0.8.23.
AI Analysis
Technical Summary
CodeWhale, a DeepSeek + MiMo coding agent, includes a run_tests tool that, in versions 0.3.0 to 0.8.22, executes 'cargo test' with ApprovalRequirement::Auto, bypassing user approval. Since 'cargo test' compiles and runs arbitrary code including test binaries, build.rs scripts, and procedural macros, this design allows malicious test code in a repository to execute arbitrary shell commands and perform harmful actions such as credential exfiltration or persistence establishment. The vulnerability is intensified by the AGENTS.md file, which can auto-load instructions to run tests at session start. This security boundary inconsistency is addressed in version 0.8.23.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary code on the system running CodeWhale without user approval, potentially leading to credential theft, system compromise, and persistent control. The vulnerability affects confidentiality, integrity, and availability, as reflected by the CVSS score of 9.6 (critical). There are no reports of exploitation in the wild at this time.
Mitigation Recommendations
This vulnerability is fixed in CodeWhale version 0.8.23. Users should upgrade to version 0.8.23 or later to remediate the issue. Since no official remediation level or patch links are provided, users must verify the upgrade availability from the vendor's official channels. Until upgraded, users should avoid running CodeWhale on untrusted repositories and disable or restrict automatic test execution if possible.
CVE-2026-45311: CWE-94: Improper Control of Generation of Code ('Code Injection') in Hmbown CodeWhale
Description
CodeWhale is a DeepSeek + MiMo coding agent in terminal. From 0.3.0 to 0.8.23, the run_tests tool executes cargo test in the workspace with ApprovalRequirement::Auto, meaning it runs without any user approval prompt. cargo test compiles and executes arbitrary code: test binaries, build.rs build scripts, and proc macros. While auto-approving test execution is a deliberate design choice, it creates an inconsistency in the security boundary. However, in a malicious repository, test code can execute arbitrary shell commands, exfiltrate credentials, or establish persistence with zero approval. The attack is amplified by AGENTS.md (auto-loaded into the system prompt), which can instruct the model to run tests proactively at session start. This vulnerability is fixed in 0.8.23.
CVSS v3.1
Score 9.6critical
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CodeWhale, a DeepSeek + MiMo coding agent, includes a run_tests tool that, in versions 0.3.0 to 0.8.22, executes 'cargo test' with ApprovalRequirement::Auto, bypassing user approval. Since 'cargo test' compiles and runs arbitrary code including test binaries, build.rs scripts, and procedural macros, this design allows malicious test code in a repository to execute arbitrary shell commands and perform harmful actions such as credential exfiltration or persistence establishment. The vulnerability is intensified by the AGENTS.md file, which can auto-load instructions to run tests at session start. This security boundary inconsistency is addressed in version 0.8.23.
Potential Impact
Successful exploitation allows an attacker to execute arbitrary code on the system running CodeWhale without user approval, potentially leading to credential theft, system compromise, and persistent control. The vulnerability affects confidentiality, integrity, and availability, as reflected by the CVSS score of 9.6 (critical). There are no reports of exploitation in the wild at this time.
Mitigation Recommendations
This vulnerability is fixed in CodeWhale version 0.8.23. Users should upgrade to version 0.8.23 or later to remediate the issue. Since no official remediation level or patch links are provided, users must verify the upgrade availability from the vendor's official channels. Until upgraded, users should avoid running CodeWhale on untrusted repositories and disable or restrict automatic test execution if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-11T20:50:30.538Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a188377e29bf47b50179037
Added to database: 5/28/2026, 6:03:35 PM
Last enriched: 5/28/2026, 6:18:48 PM
Last updated: 5/29/2026, 6:22:32 PM
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.