CVE-2026-8766 Overview
CVE-2026-8766 is an information disclosure vulnerability in Kilo-Org kilocode versions up to 7.0.47. The flaw resides in the Load function within packages/opencode/src/config/config.ts, part of the Environment Variable Handler component. Attackers can manipulate the KILO_CONFIG_CONTENT argument to trigger information disclosure remotely. The exploit has been published, and the vendor did not respond to early disclosure attempts. The vulnerability is tracked under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
Remote attackers with low privileges can disclose configuration information by manipulating the KILO_CONFIG_CONTENT environment variable processed by the Load function in kilocode.
Affected Products
- Kilo-Org kilocode up to and including version 7.0.47
- kilo:kilo_code_cli (Node.js distribution)
- Component: Environment Variable Handler (packages/opencode/src/config/config.ts)
Discovery Timeline
- 2026-05-17 - CVE-2026-8766 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-8766
Vulnerability Analysis
The vulnerability affects the Load function in packages/opencode/src/config/config.ts of the kilocode project. The function processes the KILO_CONFIG_CONTENT environment variable without adequate validation or sanitization. An attacker capable of influencing this variable can coerce the loader into exposing sensitive configuration data. The flaw is remotely exploitable and requires low privileges with no user interaction.
Because kilocode is distributed as a Node.js command-line tool, environment variables represent a primary configuration channel. When the Load function ingests untrusted content via KILO_CONFIG_CONTENT, it returns information that should remain confidential to the executing context. A public proof-of-concept has been published, increasing the likelihood of opportunistic abuse against exposed installations.
Root Cause
The root cause is improper handling of attacker-controllable environment variable input within the configuration loader. The Load routine does not enforce strict boundaries between trusted runtime configuration and untrusted content supplied through KILO_CONFIG_CONTENT. This maps to [CWE-200], where sensitive information is exposed to actors that should not have access.
Attack Vector
The attack vector is network-based with low attack complexity. An attacker who can set or influence the KILO_CONFIG_CONTENT environment variable in a kilocode execution context can trigger the disclosure. Scenarios include shared CI/CD pipelines, multi-tenant developer environments, and any deployment that accepts environment variable input from less-privileged components.
No verified exploit code is reproduced here. A public proof-of-concept is hosted at the GitHub PoC Repository and referenced in VulDB #364391.
Detection Methods for CVE-2026-8766
Indicators of Compromise
- Unexpected or externally injected values present in the KILO_CONFIG_CONTENT environment variable at process launch time.
- Anomalous reads or log output from packages/opencode/src/config/config.ts during kilocode startup.
- Outbound transmissions of configuration data shortly after kilocode execution in CI/CD or developer workstations.
Detection Strategies
- Audit process creation events for kilocode (node invocations) and capture associated environment variables where policy allows.
- Inspect CI/CD job definitions and shell profiles for assignments to KILO_CONFIG_CONTENT that originate from untrusted sources.
- Compare installed kilocode versions across endpoints against the fixed version once published by the vendor.
Monitoring Recommendations
- Forward process telemetry and command-line arguments from developer endpoints and build agents into a centralized analytics platform.
- Alert on kilocode executions that occur outside expected user contexts or build pipelines.
- Monitor outbound network traffic from hosts running kilocode for unusual data volumes following CLI execution.
How to Mitigate CVE-2026-8766
Immediate Actions Required
- Inventory all systems running kilo_code_cli version 7.0.47 or earlier and restrict their use until a patched release is available.
- Remove KILO_CONFIG_CONTENT from any shared environment, CI/CD secret store, or shell profile where untrusted actors can write to it.
- Run kilocode only under dedicated, least-privilege accounts and isolated environments to limit exposure of sensitive configuration data.
Patch Information
At the time of publication, the vendor has not responded to disclosure and no official patch has been referenced in the NVD entry. Track upstream activity through VulDB #364391 and the VulDB CTI Analysis for updates on fixed versions.
Workarounds
- Unset or explicitly clear KILO_CONFIG_CONTENT before invoking kilocode in automated pipelines.
- Wrap kilocode invocations in scripts that sanitize the environment and pass only an allow-list of variables.
- Restrict execution of kilo_code_cli to controlled hosts and remove the package from systems that do not require it.
# Configuration example: launch kilocode with a sanitized environment
env -i \
PATH="/usr/local/bin:/usr/bin:/bin" \
HOME="$HOME" \
kilocode "$@"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
