CVE-2026-30311

Critical

Published: 31 March 2026

Published

31 March 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0066 71.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Ridvay Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile regular expressions to parse command structures; while it attempts to intercept dangerous operations, it fails…

to account for standard Shell command substitution Ridvay Code (specifically$(...)and backticks ...). An attacker can construct a command such as git log --grep="$(malicious_command)", forcing Syntx to misidentify it as a safe git operation and automatically approve it. The underlying Shell prioritizes the execution of the malicious code injected within the arguments, resulting in Remote Code Execution without any user interaction.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Implements input validation at command entry points to reject or sanitize shell substitutions like $(...) and backticks, directly preventing the OS command injection vulnerability.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation to patch the fragile regex whitelist in the command auto-approval module, eliminating the specific bypass enabling RCE.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the command execution process, limiting the scope and impact of RCE even if injection occurs.

Security SummaryAI

CVE-2026-30311 is a critical OS command injection vulnerability (CWE-78) in Ridvay Code's command auto-approval module, published on 2026-03-31 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The module employs fragile regular expressions to enforce a whitelist security mechanism by parsing command structures and intercepting dangerous operations. However, it fails to account for standard shell command substitutions, such as $(...) and backticks, rendering the whitelist completely ineffective.

The vulnerability enables remote attackers with no privileges or user interaction to achieve remote code execution. Exploitation involves constructing a malicious command, such as git log --grep="$(malicious_command)", which the system misidentifies as a safe git operation and automatically approves. The underlying shell then prioritizes execution of the injected malicious code within the arguments.

Advisories and further details, including potential patches or mitigations, are referenced at https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/8 and https://ridvay.com/.

Details

CWE(s): CWE-78

Affected Products

ridvay

auto-approval module

≤ 0.1.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated remote code execution through OS command injection exploiting shell substitutions in a public-facing module's whitelist, directly facilitating T1190 (Exploit Public-Facing Application) for initial access and T1059.004 (Unix Shell) for command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/8
Third Party Advisory · cve@mitre.org
https://ridvay.com/
Product · cve@mitre.org