CVE-2026-45038 Overview
CVE-2026-45038 is a code execution vulnerability in Tabby, a configurable terminal emulator formerly known as Terminus. Versions prior to 1.0.233 fail to escape control characters from file paths during drag-and-drop operations. An attacker who tricks a user into dragging a maliciously named file into the terminal can achieve arbitrary code execution. The flaw is tracked under CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences. The vendor addressed the issue in Tabby 1.0.233.
Critical Impact
Local code execution through unescaped control characters in dropped file paths, requiring only a single drag-and-drop user interaction.
Affected Products
- Tabby (formerly Terminus) terminal emulator versions prior to 1.0.233
- All platforms supported by the Tabby Electron application
- Installations accepting drag-and-drop file input from untrusted sources
Discovery Timeline
- 2026-05-15 - CVE-2026-45038 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-45038
Vulnerability Analysis
Tabby renders dropped files by inserting their paths directly into the active terminal session. The application does not neutralize ANSI escape sequences or control characters embedded in those paths. An attacker crafts a filename containing terminal control sequences and delivers it to the victim through any normal file-sharing channel. When the victim drags the file into a Tabby terminal, the embedded sequences are interpreted by the emulator rather than treated as literal text. This enables command injection into the terminal's input buffer, leading to execution of attacker-controlled commands in the user's shell context.
Root Cause
The root cause is improper neutralization of escape, meta, and control sequences [CWE-150]. Tabby's drag-and-drop handler concatenates the raw file path into terminal input without sanitization. Control characters such as carriage returns, line feeds, and OSC or CSI escape sequences pass through unchanged. Terminal emulators treat these sequences as commands, which violates the trust boundary between file metadata and terminal input.
Attack Vector
Exploitation requires local user interaction. The attacker creates a file whose name contains an embedded newline and shell command, or an ANSI sequence that programs a function key to execute commands. The file is delivered to the victim via email attachment, shared folder, web download, or removable media. When the victim drags the file into a Tabby window, the terminal interprets the malicious sequence and runs the attacker's commands with the privileges of the current user. No additional authentication is required beyond the user gesture.
The vulnerability mechanism is described in the Tabby GitHub Security Advisory GHSA-m937-jm93-pfp6. No public proof-of-concept code has been released.
Detection Methods for CVE-2026-45038
Indicators of Compromise
- Tabby installations reporting a version string below 1.0.233 in application metadata or package manifests
- Shell history entries containing commands the user did not type, especially immediately following file drag operations
- Files on disk with names containing embedded newline (\n), carriage return (\r), or ESC (\\x1b) bytes
Detection Strategies
- Inventory endpoints for Tabby binaries and compare installed versions against the fixed release 1.0.233
- Monitor process creation events where the parent is tabby.exe or Tabby and the child process is an interpreter such as bash, powershell.exe, cmd.exe, or sh with unusual arguments
- Hunt filesystem telemetry for filenames containing non-printable control bytes, which are rare in legitimate workflows
Monitoring Recommendations
- Enable command-line logging on endpoints where Tabby is used and forward events to a centralized analytics platform for review
- Alert on shell command executions that occur within seconds of a Tabby window receiving focus or a file drop event
- Track outbound network connections initiated by shells spawned under Tabby for indicators of post-exploitation activity
How to Mitigate CVE-2026-45038
Immediate Actions Required
- Upgrade all Tabby installations to version 1.0.233 or later across managed endpoints
- Identify users who handle untrusted files and prioritize their workstations for the update
- Instruct users to avoid dragging files from untrusted sources into Tabby terminal windows until patching is complete
Patch Information
The Tabby maintainers fixed the issue in release 1.0.233 by escaping control characters in file paths before they reach the terminal input stream. Release notes and the patched source are available in the Tabby GitHub repository and the GHSA-m937-jm93-pfp6 advisory.
Workarounds
- Disable drag-and-drop file handling in the Tabby configuration where supported by user policy
- Restrict file transfers from untrusted sources using endpoint controls and email gateway scanning
- Use an alternative terminal emulator that sanitizes control characters in dropped paths until the Tabby update is deployed
# Verify installed Tabby version on Linux/macOS
tabby --version
# Example upgrade via package manager (Linux)
sudo apt-get update && sudo apt-get install --only-upgrade tabby-terminal
# Windows: upgrade via winget
winget upgrade Eugeny.Tabby
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
