CVE-2026-30307
Published: 30 March 2026
Summary
CVE-2026-30307 is a critical-severity Code Injection (CWE-94) vulnerability in Roocode Roo Code. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 28.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates comprehensive validation of command inputs to block shell substitutions like $(...) and backticks that bypass the fragile regex whitelist.
Enforces strict restrictions on command inputs to ensure only safe structures are processed, strengthening the ineffective whitelist mechanism.
Requires timely identification, reporting, and correction of the specific flaw in the command auto-approval module to eliminate the injection vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote command injection leading to RCE via shell substitutions bypassing whitelist; directly maps to exploitation of public-facing application (T1190) and Unix Shell execution (T1059.004).
NVD Description
Roo Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile regular expressions to parse command structures; while it attempts to intercept dangerous operations, it fails…
more
to account for standard Shell command substitution Roo Code (specifically$(...)and backticks ...). An attacker can construct a command such as git log --grep="$(malicious_command)", forcing Syntx to misidentify it as a safe git operation and automatically approve it. The underlying Shell prioritizes the execution of the malicious code injected within the arguments, resulting in Remote Code Execution without any user interaction.
Deeper analysisAI
CVE-2026-30307 is a critical OS command injection vulnerability (CWE-94) in Roo Code's command auto-approval module, published on 2026-03-30. The flaw renders the system's whitelist security mechanism completely ineffective due to fragile regular expressions used to parse command structures. These regex patterns fail to account for standard Shell command substitutions, such as $(...) and backticks, allowing dangerous operations to bypass interception while being misclassified as safe.
Any remote attacker can exploit this vulnerability without authentication or user interaction by crafting a command like git log --grep="$(malicious_command)". The auto-approval module identifies it as a benign git operation and approves execution, but the underlying Shell prioritizes and runs the injected malicious code within the arguments. This results in full remote code execution (RCE), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), enabling high-impact compromise of confidentiality, integrity, and availability.
Advisories and further details are available in the referenced sources, including the LLM-Tool-Calling-CVEs GitHub issue at https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/7 and Roo Code's site at https://roocode.com/.
Details
- CWE(s)