The rtk tool filters and compresses command outputs before they reach the LLM context. Before version 0.42.2, its permission splitter failed to conservatively split or reject several shell constructs that Bash uses to separate or nest commands. Consequently, a command starting with an allowed prefix (e.g., 'git') could conceal a second command behind these constructs. The rtk rewrite process returned an exit code 0, leading the Claude hook to emit a permission decision of "allow." However, the rewritten command still contained the hidden command, which executed without the intended user permission enforcement. This is an incorrect authorization vulnerability classified as CWE-863 and is fixed in rtk version 0.42.2.

An attacker could bypass intended permission checks and execute unauthorized commands hidden behind allowed command prefixes. This leads to a high impact on confidentiality, integrity, and availability of the affected system. The vulnerability allows commands to run without user confirmation or denial, undermining the security controls designed to enforce permission rules.

This vulnerability is fixed in rtk version 0.42.2. Users should upgrade to version 0.42.2 or later to remediate this issue. No other official remediation or temporary fixes are indicated. Patch status is not explicitly confirmed beyond the fix in 0.42.2, so verify with the vendor advisory for the latest guidance.