CVE-2026-8765 Overview
CVE-2026-8765 is a path traversal vulnerability affecting Kilo-Org kilocode versions up to 7.0.47. The flaw resides in the Bun.file function call within packages/opencode/src/kilocode/review/worktree-diff.ts, part of the File Diff API Endpoint component. An attacker can manipulate the File argument to traverse directories and access files outside the intended scope. The attack is exploitable remotely and requires low-level privileges. A public proof-of-concept exists, and the vendor did not respond to disclosure attempts. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Critical Impact
A remote authenticated attacker can read arbitrary files accessible to the kilocode process by submitting crafted path traversal sequences to the File Diff API.
Affected Products
- Kilo-Org kilocode versions through 7.0.47
- Component: File Diff API Endpoint (packages/opencode/src/kilocode/review/worktree-diff.ts)
- Affected function: Bun.file
Discovery Timeline
- 2026-05-17 - CVE-2026-8765 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-8765
Vulnerability Analysis
The vulnerability stems from insufficient validation of the File parameter passed to the File Diff API Endpoint. The endpoint handler in worktree-diff.ts forwards the user-supplied filename directly to Bun.file() without normalizing or constraining the path to the worktree root. An attacker submits sequences such as ../../../../etc/passwd to escape the intended directory. The Bun runtime then opens and returns the contents of arbitrary files readable by the kilocode process. Because the diff endpoint returns file contents in the response body, the result is direct file disclosure rather than blind read access.
Root Cause
The root cause is missing input sanitization in the worktree diff handler. The code trusts the File argument as a relative path within the worktree but does not call path canonicalization, does not enforce a prefix check against the project root, and does not reject paths containing .. segments. CWE-22 applies because the pathname provided by the user is not properly restricted to the intended directory.
Attack Vector
The attack vector is network-based and requires low privileges, meaning the attacker must hold a valid session or authenticated context with the kilocode service. Exploitation is performed by issuing an HTTP request to the File Diff API Endpoint with a File parameter containing traversal sequences. No user interaction is needed. A public proof-of-concept demonstrating the technique is hosted on GitHub Gist. Additional vulnerability tracking is available in the VulDB Vulnerability #364390 entry.
The vulnerability mechanism involves the unvalidated File argument being concatenated or resolved against a base directory and then passed to Bun.file(). See the VulDB CTI for #364390 for additional technical context.
Detection Methods for CVE-2026-8765
Indicators of Compromise
- HTTP requests to the kilocode File Diff API containing ../ or URL-encoded %2e%2e%2f sequences in the File parameter
- API responses returning file contents from outside the expected worktree path (e.g., /etc/, /root/, user home directories)
- Unexpected reads of sensitive system files in process or filesystem audit logs originating from the kilocode service account
Detection Strategies
- Inspect web server and application logs for traversal patterns in query strings and JSON bodies targeting the worktree-diff endpoint
- Deploy a Web Application Firewall (WAF) rule set blocking common path traversal payloads in requests to kilocode API routes
- Correlate file access telemetry with the kilocode process identifier to identify reads outside declared project directories
Monitoring Recommendations
- Enable verbose request logging on the File Diff API and forward to a centralized log platform for retention and search
- Alert on response sizes or content types that deviate from expected diff output formats
- Monitor the kilocode service for file open operations targeting paths outside the configured workspace root
How to Mitigate CVE-2026-8765
Immediate Actions Required
- Restrict network access to the kilocode File Diff API to trusted users and internal networks only
- Audit logs for prior exploitation attempts using the indicators listed above
- Rotate any credentials or secrets that may have been stored in files readable by the kilocode process
Patch Information
The vendor was contacted prior to public disclosure but did not respond. No official patch is referenced in the NVD entry at the time of publication. Track the VulDB Vulnerability #364390 record and the upstream Kilo-Org repository for fix availability. Until a vendor patch is released, operators should treat all kilocode deployments running version 7.0.47 or earlier as exposed.
Workarounds
- Place the kilocode service behind a reverse proxy that strips or rejects .. sequences and URL-encoded traversal payloads in request parameters
- Run the kilocode process under a dedicated low-privilege user with filesystem access scoped to the project worktree only
- Apply mandatory access controls (AppArmor, SELinux) to confine the kilocode process to its working directory
- Disable or remove the File Diff API endpoint if the diff feature is not required in the deployment
# Example AppArmor confinement snippet restricting kilocode to its worktree
/usr/bin/kilocode {
/var/lib/kilocode/worktrees/** r,
deny /etc/** r,
deny /root/** r,
deny /home/*/.ssh/** r,
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
