Skip to main content

Pi Coding Agent CVE-2026-54327

LOW
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-17 https://github.com/earendil-works/pi GHSA-r95r-rj6r-c39x
Crowdstrike Information Disclosure
2.2
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.2 LOW
AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
2.2 LOW

Local-only attack vector, High complexity from race timing window, Low privileges for directory traversal, Restricted confidentiality to stored credential file contents only.

3.1 AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
4.0 AV:L/AC:H/AT:P/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 14:21 vuln.today
Analysis Generated
Jun 17, 2026 - 14:21 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 32 npm packages depend on @earendil-works/pi-coding-agent (32 direct, 0 indirect)
  • 1 npm packages depend on @mariozechner/pi-coding-agent (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.74.0 and other introduced versions.

DescriptionGitHub Advisory

Pi auth.json writes could briefly expose stored credentials to local users

Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only permissions.

Info

The affected credential storage code wrote auth.json and then corrected the file mode in a separate operation. During the interval between those operations, a local user who could read and traverse the Pi agent configuration directory could potentially read the file before its permissions were restricted.

The file can contain API keys, OAuth access tokens, and OAuth refresh tokens for configured providers. The affected behavior was present in the original auth.json credential storage implementation and thus affects both the original @mariozechner/pi-coding-agent package as well as @earendil-works/pi-coding-agent.

Impact

Exploitation requires local access to the same machine and read/traverse access to the victim's Pi agent configuration directory. Users whose ~/.pi/agent directory is private to their account are less exposed. The main impact is disclosure of stored provider credentials, which may allow use of the configured provider accounts according to the privileges of those credentials.

This is not remotely exploitable by itself.

Affected versions

  • Affected: @mariozechner/pi-coding-agent >= 0.28.0, <= 0.73.1
  • Affected: @earendil-works/pi-coding-agent >= 0.74.0, < 0.78.1
  • Patched: @earendil-works/pi-coding-agent >= 0.78.1

The solution

Version 0.78.1 changed the credential storage writes to create auth.json with mode 0600 at open time. The fix applies to initial file creation and credential save paths, including OAuth token refresh writes.

Recommendations

Upgrade to @earendil-works/pi-coding-agent version 0.78.1 or later. Users still on the deprecated @mariozechner/pi-coding-agent package should migrate to the @earendil-works/pi-coding-agent package and install version 0.78.1 or later.

After upgrading, rotate any credentials that may have been exposed on multi-user systems where the Pi agent configuration directory was readable by other local users.

Workarounds

If upgrading immediately is not possible, restrict the Pi agent configuration directory so only the owning user can traverse it, restrict auth.json to owner-only permissions, and run Pi with a restrictive umask such as 077 until the upgrade is complete.

Timeline

  • 2026-05-29: Report received
  • 2026-06-02: Fix committed
  • 2026-06-04: Fixed version released
  • 2026-06-08: Advisory published

Credits

Reported by Paul Urian and Cosmin Alexa of CrowdStrike.

AnalysisAI

Credential disclosure in Pi coding agent affects all versions of @mariozechner/pi-coding-agent (>=0.28.0, <=0.73.1) and @earendil-works/pi-coding-agent (>=0.74.0, <0.78.1) due to a TOCTOU race condition in auth.json file writes. The credential storage code wrote auth.json with umask-inherited permissions and only subsequently tightened the mode to owner-only, leaving a brief window in which a local user with directory traverse access could read API keys, OAuth access tokens, and OAuth refresh tokens. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain local shell account on target system
Delivery
Confirm victim's ~/.pi/agent directory is traversable
Exploit
Monitor directory for auth.json write event via inotify or polling
Execution
Race to open auth.json before permission tightening completes
Persist
Read API keys or OAuth tokens from file
Impact
Authenticate to victim's third-party provider accounts
Sign in to reveal

Vulnerability AssessmentAI

Exploitation All of the following conditions must hold simultaneously: (1) the attacker has a local shell account on the same machine as the victim; (2) the victim's Pi agent configuration directory (~/.pi/agent or equivalent) is traversable by the attacker - i.e., not restricted to owner-only permissions; (3) the attacker successfully times a file read to the brief window between auth.json creation and the permission-tightening operation, classified AC:H in the CVSS vector; and (4) the victim must trigger a credential write during the attack window (UI:R) - this occurs on initial auth setup, credential saves, or OAuth token refresh. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 3.1 score of 2.2 (AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N) is independently validated and accurately reflects real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local attacker on a shared multi-user system identifies a victim whose ~/.pi/agent directory is world-traversable. The attacker uses inotifywait or a tight polling loop to detect when auth.json is created or rewritten - for example, during an OAuth token refresh triggered by the victim's normal use of Pi - and immediately opens the file in the brief window before permissions are tightened to 0600. …
Remediation Vendor-released patch: @earendil-works/pi-coding-agent 0.78.1. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-54328 HIGH
7.3 Jun 17

Local privilege escalation in the Pi coding agent (npm packages @earendil-works/pi-coding-agent 0.74.0-0.78.0 and @mario
CVE-2026-54326 LOW
2.5 Jun 16

Stored XSS in the HTML session export feature of pi-coding-agent allows script execution in an exported document when a

Share

CVE-2026-54327 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy