CVE-2026-45374: DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files

May 14, 2026 (updated June 9, 2026)

The task_create tool spawns durable sub-agents that inherit two insecure defaults:

allow_shell defaults to true (config.rs:1499: self.allow_shell.unwrap_or(true))
auto_approve defaults to true (task_manager.rs:297: auto_approve: Some(true))

When a user approves a task_create call (which requires ApprovalRequirement::Required), they approve what appears to be a benign work prompt (e.g., “fix TODOs and write a README”). However, the spawned sub-agent silently receives unrestricted, unapproved shell access. Neither allow_shell nor auto_approve need to be explicitly specified by the model and both default to true.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-45374 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →