# [CRIT] [GHSA / CRITICAL] CVE-2026-45374: DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files

**Source:** GitHub Security Advisories
**Published:** 2026-05-14
**Article:** https://github.com/advisories/GHSA-72w5-pf8h-xfp4

## Threat Profile

DeepSeek TUI: task_create Insecure Defaults Enable RCE via Prompt Injection in Project Files

### Summary

The `task_create` tool spawns durable sub-agents that inherit two insecure defaults:

- `allow_shell` defaults to `true` (`config.rs:1499`: `self.allow_shell.unwrap_or(true)`)
- `auto_approve` defaults to `true` (`task_manager.rs:297`: `auto_approve: Some(true)`)

When a user approves a `task_create` call (which requires `ApprovalRequirement::Required`), they approve what appears to be a be…

## Indicators of Compromise (high-fidelity only)

- **CVE:** `CVE-2026-45374`

## MITRE ATT&CK Techniques

- **T1190** — Exploit Public-Facing Application
- **T1204.002** — User Execution: Malicious File
- **T1059.004** — Command and Scripting Interpreter: Unix Shell
- **T1059.006** — Command and Scripting Interpreter: Python
- **T1105** — Ingress Tool Transfer
- **T1204.003** — User Execution: Malicious Image

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### DeepSeek-TUI sub-agent shell execution via AGENTS.md prompt injection (CVE-2026-45374)

`UC_292_2` · phase: **exploit** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdlines values(Processes.process_path) as paths from datamodel=Endpoint.Processes where (Processes.parent_process_name="deepseek-tui" OR Processes.parent_process_name="deepseek-tui.exe") (Processes.process_name IN ("curl","wget","bash","sh","zsh","dash","ksh","fish","nc","ncat","socat","python","python3","perl","ruby","node","powershell","pwsh")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | where match(cmdlines, "(?i)(https?://|-s\s+http|curl\s|wget\s|/dev/tcp/|base64\s+-d|-c\s+['\"])") | rename firstTime as firstTime lastTime as lastTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
```

**Defender KQL:**
```kql
// CVE-2026-45374: deepseek-tui sub-agent shell exec (MDE Linux/macOS)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "deepseek-tui"
   or InitiatingProcessFolderPath has "deepseek-tui"
| where FileName in~ ("curl","wget","bash","sh","zsh","dash","ksh","fish",
                      "nc","ncat","socat","python","python3","perl",
                      "ruby","node","powershell","pwsh")
| where ProcessCommandLine has_any ("http://","https://","/dev/tcp/","base64 -d","-c ","-s ")
   or FileName in~ ("nc","ncat","socat")
| project Timestamp, DeviceName, AccountName,
          ParentImage = InitiatingProcessFolderPath,
          ParentCmd   = InitiatingProcessCommandLine,
          ChildImage  = FolderPath,
          ChildCmd    = ProcessCommandLine,
          SHA256
| order by Timestamp desc
```

### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-45374: DeepSeek TUI: task_create Insecure Defaults En

`UC_292_1` · phase: **install** · confidence: **High**

**Splunk SPL (CIM):**
```spl
``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-45374: DeepSeek TUI: task_create Insecure Defaults En ```
| tstats `summariesonly` count
    from datamodel=Endpoint.Filesystem
    where Filesystem.action IN ("created","modified")
      AND (Filesystem.file_path="*/tmp/poc-task-create*" OR Filesystem.file_path="*/dev/null*")
    by Filesystem.dest, Filesystem.user, Filesystem.process_name,
       Filesystem.file_path, Filesystem.file_name
| `drop_dm_object_name(Filesystem)`
```

**Defender KQL:**
```kql
// Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-45374: DeepSeek TUI: task_create Insecure Defaults En
// Hunts the actual binaries / paths / commandline fragments named
// in the article instead of a generic technique-class template.

// File-creation events for the named binaries / paths
DeviceFileEvents
| where Timestamp > ago(30d)
| where ActionType in ("FileCreated","FileModified")
| where (FolderPath has_any ("/tmp/poc-task-create", "/dev/null"))
| project Timestamp, DeviceName, AccountName, FolderPath,
          FileName, ActionType, InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc
```

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High**
  - CVE(s): `CVE-2026-45374`


## Why this matters

Severity classified as **CRIT** based on: CVE present, 3 use case(s) fired, 6 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.