CVE-2026-54056: CWE-59: Improper Link Resolution Before File Access ('Link Following') in kovidgoyal kitty
Kitty versions 0.47.0 and 0.47.1 contain a vulnerability in the `kitten dnd` remote drag-and-drop feature that allows a malicious remote source to overwrite or truncate arbitrary files writable by the local user. This occurs due to improper handling of symbolic links during file staging on case-sensitive filesystems, where an attacker can create a symlink and then cause a write operation to follow it, leading to file modification outside the intended directory. The issue is fixed in version 0.47.2.
AI Analysis
Technical Summary
The vulnerability (CVE-2026-54056) in kovidgoyal's kitty terminal affects versions 0.47.0 and 0.47.1 in the `kitten dnd` remote drag-and-drop staging process. When handling remote `text/uri-list` drops, the software stages files in a temporary directory but does not properly de-duplicate duplicate basenames on case-sensitive filesystems. An attacker can exploit this by first creating a staged symlink and then sending a same-name regular file. The write operation uses `openat` without the `O_NOFOLLOW` flag, causing the write to follow the symlink and overwrite or truncate arbitrary files outside the staging directory before final confirmation. This vulnerability is related to but distinct from a previous file-transfer symlink issue and was patched in version 0.47.2.
Potential Impact
An attacker with the ability to perform remote drag-and-drop operations can cause arbitrary writable files of the local kitty user to be overwritten or truncated. This can lead to integrity loss of local files and potentially disrupt normal operations or escalate further attacks. The CVSS score of 7.6 reflects high severity with network attack vector, low attack complexity, requiring privileges and user interaction, and causing a partial integrity impact with low availability impact.
Mitigation Recommendations
Version 0.47.2 of kitty contains a patch that fixes this vulnerability. Users should upgrade to version 0.47.2 or later to remediate the issue. No other official remediation or temporary fixes are documented. Until upgraded, users should avoid accepting remote drag-and-drop operations from untrusted sources.
CVE-2026-54056: CWE-59: Improper Link Resolution Before File Access ('Link Following') in kovidgoyal kitty
Description
Kitty versions 0.47.0 and 0.47.1 contain a vulnerability in the `kitten dnd` remote drag-and-drop feature that allows a malicious remote source to overwrite or truncate arbitrary files writable by the local user. This occurs due to improper handling of symbolic links during file staging on case-sensitive filesystems, where an attacker can create a symlink and then cause a write operation to follow it, leading to file modification outside the intended directory. The issue is fixed in version 0.47.2.
CVSS v3.1
Score 7.6high
Affected software
pkg:github/kovidgoyal/kittyRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability (CVE-2026-54056) in kovidgoyal's kitty terminal affects versions 0.47.0 and 0.47.1 in the `kitten dnd` remote drag-and-drop staging process. When handling remote `text/uri-list` drops, the software stages files in a temporary directory but does not properly de-duplicate duplicate basenames on case-sensitive filesystems. An attacker can exploit this by first creating a staged symlink and then sending a same-name regular file. The write operation uses `openat` without the `O_NOFOLLOW` flag, causing the write to follow the symlink and overwrite or truncate arbitrary files outside the staging directory before final confirmation. This vulnerability is related to but distinct from a previous file-transfer symlink issue and was patched in version 0.47.2.
Potential Impact
An attacker with the ability to perform remote drag-and-drop operations can cause arbitrary writable files of the local kitty user to be overwritten or truncated. This can lead to integrity loss of local files and potentially disrupt normal operations or escalate further attacks. The CVSS score of 7.6 reflects high severity with network attack vector, low attack complexity, requiring privileges and user interaction, and causing a partial integrity impact with low availability impact.
Mitigation Recommendations
Version 0.47.2 of kitty contains a patch that fixes this vulnerability. Users should upgrade to version 0.47.2 or later to remediate the issue. No other official remediation or temporary fixes are documented. Until upgraded, users should avoid accepting remote drag-and-drop operations from untrusted sources.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-11T18:24:35.096Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2c758ce617e2d834c30b86
Added to database: 6/12/2026, 9:09:32 PM
Last enriched: 6/12/2026, 9:24:22 PM
Last updated: 6/12/2026, 10:22:06 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.