External risk intelligence

Tabby could allow an external attacker to take control of a user's computer.

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-45035

Tabby contains a flaw that allows an external attacker to compromise a user’s computer through a malicious link. If clicked, the attacker can run unauthorized commands, potentially leading to the theft of sensitive local files or complete control of the workstation.

1Halo Surface Signal

OS Command Injection

Tabby

before 1.0.233

External exposure likelihood

Halo Surface Signal score for CVE-2026-45035

The vulnerability affects a client-side desktop application (terminal emulator) installed on user workstations. Exploitation requires a user to click a malicious link from an external source to trigger command execution locally. This is a client-side issue, not a public-facing network service or infrastructure component.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in Tabby, a terminal emulator, where it handles custom URL schemes without proper confirmation. This allows a malicious link to execute arbitrary operating system commands with the user's privileges.

  • Execution requires user interaction with a crafted link.
  • Affects users of the Tabby terminal emulator.
  • Can lead to full system compromise.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by tricking a victim into clicking a specially crafted `tabby://` URL. This link, delivered through email, chat, or a website, will cause the Tabby terminal emulator to execute any command specified in the URL without user confirmation. This allows for remote code execution on the victim's machine with their current privileges.

  • Victim must click link.
  • Malicious URL delivery needed.
  • No user confirmation.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Tabby allows for remote code execution via a crafted URL that bypasses user confirmation and sanitization. Attackers can exploit this by distributing malicious links through various communication channels. The severity of this flaw makes it an attractive target, although its client-side nature and user interaction requirement for exploitation may influence how broadly it is weaponized.

  • User must click a malicious link.
  • Exploitation is client-side.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize identifying and blocking any `tabby://` links in external communications or on public-facing websites. Since this is a client-side vulnerability requiring user interaction, focus on user education and endpoint protection. Immediately update Tabby to version 1.0.233 or later to patch the command execution flaw.

  • Update Tabby to 1.0.233.
  • Block `tabby://` URL schema.
  • Educate users on malicious links.

Frequently asked questions

What is the primary function of Tabby and how does this vulnerability affect it?

Tabby is a terminal emulator. The vulnerability allows a malicious `tabby://` URL to execute OS commands directly without user confirmation, bypassing sanitization and sandboxing, leading to unintended command execution.

What type of weakness allows attackers to execute commands in Tabby?

The weakness is a lack of proper handling for the `tabby://` URL scheme. It supports a 'run' command that executes OS commands directly, without requiring user confirmation, sanitization, or sandboxing, which is a form of command injection (CWE-78).

How can an attacker trigger the vulnerability, and what is the scope of the execution?

An attacker crafts a malicious `tabby://run?command=...` link and delivers it via email, chat, or websites. When a user clicks the link, Tabby launches and executes the command as a child process with the user's full privileges, resulting in remote code execution.

How does Halo assess the threat of this Tabby vulnerability?

Halo considers the threat very unlikely. The vulnerability affects a client-side desktop application, requires user interaction (clicking a malicious link), and is not a public-facing network service.

What are the immediate steps to mitigate the risk associated with this Tabby vulnerability?

Update Tabby to version 1.0.233 or later. Additionally, educate users about the dangers of clicking on suspicious links and consider blocking `tabby://` URLs in communications to prevent exploitation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified