Privilege Escalation via Tab Completion

The cursor blinked twice, and the terminal waited. You hit Tab—and it gave you more than you asked for. That’s the moment privilege escalation hides inside tab completion.

Privilege escalation via tab completion happens when shell environments, CLI tools, or custom autocomplete scripts expose commands, paths, or files that a lower-privilege user should never see or use. The autocomplete logic reads from system directories or executes lookups with elevated permissions, revealing sensitive binaries or configuration files. From there, exploitation is a matter of selecting the right entry and running with an inherited privilege level.

In Bash, Zsh, and other shells, tab completion is often customized with functions and plugins. These run code silently when you press Tab. If that code executes with higher privileges—or uses cached results from privileged contexts—it can bypass normal security checks. Attackers know this. They look for completion scripts that touch /etc, restricted home directories, or privileged APIs. A poorly confined autocomplete function can open a direct path to root.

Secure implementations limit tab completion scope, enforce user-based permissions at every call, and avoid privileged path discovery entirely. Least privilege must apply even to helper utilities. Auditing completion scripts for unsafe paths, ambiguous command expansions, and unprotected variable handling is critical.

The common oversights:

• Running completion scripts as root without revalidating permissions after returning results.
• Allowing completions to reveal restricted file names.
• Loading insecure third-party shell plugins.

Mitigation requires review of all tab completion configurations, especially those built internally for deployment scripts, cloud tooling, and build systems. Combine file access checks with explicit downgrades of privileges before generating any suggestions. Invest in automated testing for autocomplete features—they are part of the execution surface.

Privilege escalation through tab completion is quiet, fast, and often ignored in audits. Yet it belongs in threat models alongside obvious attacks. Every keystroke in the shell is code execution.

Want to see fast, secure privilege handling baked in? Try hoop.dev—build, run, and harden environments where autocomplete is safe. See it live in minutes.