[H8] cak_ store ACL set via bare icacls (PATH search) from SYSTEM -> LPE; silent weaker store on failure #22
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: High
Component(s): agent
Affected file(s):
agent/src/credential_store.rs(~lines 309/345)Problem:
The
cak_store ACL is set by shelling out to a bareicacls(PATH search) from a SYSTEM context, enabling local privilege escalation ificacls.exeis hijacked, and it silently falls back to a weaker store on failure.Recommended fix:
Use the absolute path
C:\Windows\System32\icacls.exeor the Win32SetNamedSecurityInfoWAPI, and verify the ACL.Remediation phase: P3
From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding H8) and REMEDIATION-PLAN.md (P3).