CVE-2026-8766: @kilocode/cli Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

May 18, 2026 (updated May 28, 2026)

A flaw has been found in Kilo-Org kilocode up to 7.0.47. This issue affects the function Load of the file packages/opencode/src/config/config.ts of the component Environment Variable Handler. Executing a manipulation of the argument KILO_CONFIG_CONTENT can lead to information disclosure. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

References

gist.github.com/YLChen-007/32b444e49ced1a46bde5a68933ccd09f
github.com/advisories/GHSA-rpc6-9c4p-j5cg
nvd.nist.gov/vuln/detail/CVE-2026-8766
vuldb.com/submit/811400
vuldb.com/vuln/364391
vuldb.com/vuln/364391/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-8766 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →