CVE-2026-45036: Tabby Terminal ZMODEM RCE

By skipping the user-confirmation step for ZMODEM transfers, the Tabby terminal lets a file you merely 'cat' inject commands into your shell — bypassing PATH to run an attacker's binary.

Most of the vulnerabilities on this beat involve a server mishandling input. CVE-2026-45036 inverts that: here the trusting party is the user's own terminal, and the malicious input is a file they simply look at. Published to the National Vulnerability Database on May 15, 2026, the flaw affects Tabby (formerly Terminus), a popular cross-platform terminal emulator, in versions before 1.0.233. NVD scores it 7.0 (HIGH) on CVSS 3.1 with vector AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H and classifies it under CWE-78: OS Command Injection. The core failure is an access-control one: a security-relevant decision that should have required explicit user confirmation was made automatically.

The mechanism, drawn directly from the NVD description, is intricate but follows a clear logic. ZMODEM is an old file-transfer protocol that terminals detect by watching session output for a specific header. When the program a user is running emits a ZRQINIT header, a well-behaved terminal should ask the user whether to begin a transfer. Tabby instead automatically confirms the detection without any user interaction: its ZModemMiddleware consumes all session output, and on seeing the header it unconditionally calls detection.confirm() and writes a fixed response — a sequence beginning with control bytes — back into the active PTY as input.

How displaying a file becomes running a command

That last detail is the pivot. Writing bytes into the PTY as input means those bytes are queued as if the user had typed them. While the triggering program (say, cat displaying an attacker's file) is running, the injected response is buffered. When that program exits and control returns to the shell, the injected bytes are consumed by the shell as a command line. The user did nothing but view a file; the terminal supplied keystrokes on their behalf.

From there the description details how attackers turn injected bytes into execution of their code, and this is where the access-control story meets a clever bypass of PATH resolution — the very mechanism shells rely on to decide which trusted binary a bare command name refers to. Under the fish shell in its default configuration, the injected response's ** prefix triggers recursive glob expansion against the current directory. An attacker who has placed an executable at a matching nested path — the description gives the example d/xB0100000023be50 — gets it run by relative pathname, never consulting PATH at all. Under bash and zsh, the advisory notes a secondary trick: combining an xterm.js color-query feedback response (OSC 10) in the same file injects a slash-containing command word that likewise sidesteps PATH resolution.

The significance of bypassing PATH is worth dwelling on, because PATH is an implicit trust control. When you type ls, the shell searches a curated list of directories and runs the trusted system binary it finds. By smuggling a command word that contains a slash — a relative or nested path — the attack instructs the shell to run a specific file in the current directory instead, neutralizing the assumption that bare command names map to vetted system tools. An attacker who controls a directory a victim might cd into — a cloned Git repository being the canonical example — can therefore stage both the malicious file and the executable it references.

The confirmation that should never have been automatic

Strip away the protocol details and CVE-2026-45036 reduces to a single design decision: a terminal made a trust decision on the user's behalf that it should have escalated to the user. ZMODEM auto-confirmation is convenient, but confirming a protocol handshake that results in writing bytes into the user's input stream is exactly the kind of action that warrants a human in the loop. The detection.confirm() call being unconditional is the root cause; everything downstream — the glob expansion, the OSC feedback, the PATH bypass — is an attacker exploiting the consequences of that one automatic yes.

The CVSS vector tells you why severity lands at 7.0 rather than higher despite full Confidentiality, Integrity, and Availability impact: the Attack Vector is Local, Attack Complexity is High, and User Interaction is Required — the victim must actually display the crafted content. But none of those mitigations require the user to do anything they would consider risky. Viewing a file in a cloned repository is an everyday action, which is precisely what makes a “requires interaction” bug like this dangerous in practice.

The fix and the takeaway

Terminal escape sequences as an attack surface

CVE-2026-45036 belongs to a long and underappreciated lineage of terminal-emulator vulnerabilities rooted in the fact that terminals interpret in-band control sequences mixed into ordinary output. Decades of features — cursor movement, color, title-setting, clipboard access, and protocol detection like ZMODEM — are all triggered by special byte sequences that any program writing to the terminal can emit. When the content displayed is untrusted, those control sequences become an attack surface. The historically dangerous variants are precisely the ones that let remote content write data back into the input stream or query the terminal in ways that produce attacker-influenced responses. Tabby's combination of auto-confirmed ZMODEM and an OSC color-query feedback path is a modern instance of both hazards working together.

The defensive principle that emerges is that any terminal feature which closes the loop — reading output and producing input or a response in reply — must be treated as security-sensitive and, where it can lead to command execution, gated behind explicit user consent or disabled by default. This is also a reminder for the broader population of developers who routinely pipe untrusted content to a terminal, whether by cat-ing a downloaded file, tailing a remote log, or rendering a third-party repository's contents. The safer habits — viewing untrusted files in an editor or a pager configured to strip control sequences rather than a raw terminal — predate this CVE but are exactly what would have blunted it. For Tabby users, the unambiguous remediation remains upgrading to 1.0.233, where the auto-confirmation behavior is fixed.

The vulnerability is fixed in Tabby 1.0.233, and the GitHub security advisory (GHSA-qr3x-j8g9-xhf6) referenced by the NVD record documents the change. Users should update immediately. Until then, the safest postures are to avoid displaying untrusted files in vulnerable Tabby versions and to be wary of cat-ing arbitrary content from cloned repositories. The deeper, durable lesson is for anyone building terminal emulators or any software that interprets a remote party's output: never let detected protocol activity write into a trusted input channel without explicit user consent. Auto-confirmation is a convenience that, in a terminal, can silently become code execution.