Skip to main content

Pi Mono CVE-2026-5557

| EUVDEUVD-2026-19062 LOW
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-04-05 VulDB GHSA-vm3q-w7cc-43ff
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:11 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:11 NVD
5.3 (MEDIUM) 2.1 (LOW)
PoC Detected
Apr 07, 2026 - 13:20 vuln.today
Public exploit code
EUVD ID Assigned
Apr 05, 2026 - 10:00 euvd
EUVD-2026-19062
Analysis Generated
Apr 05, 2026 - 10:00 vuln.today
CVE Published
Apr 05, 2026 - 09:45 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability was detected in badlogic pi-mono up to 0.58.4. This issue affects some unknown processing of the file packages/mom/src/slack.ts of the component pi-mom Slack Bot. The manipulation results in authentication bypass using alternate channel. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Authentication bypass in badlogic pi-mono up to version 0.58.4 allows authenticated attackers to escalate privileges or access unauthorized Slack channels via the pi-mom Slack Bot component. The vulnerability stems from improper authentication validation in the Slack channel routing logic and can be exploited remotely by users with existing access to the system. Public exploit code is available, and the vendor has not responded to disclosure attempts, making this an active security concern for deployed instances.

Technical ContextAI

The vulnerability resides in the pi-mom Slack Bot component, specifically in the file packages/mom/src/slack.ts, which handles Slack workspace integration and channel authorization. The root cause is classified as CWE-288 (Authentication Using Alternate Channel), indicating that the Slack Bot fails to properly validate authentication context when processing requests across different Slack channels. This allows an authenticated user to bypass intended channel-level access controls by manipulating channel routing parameters. The affected product is badlogic's pi-mono framework (CPE: cpe:2.3:a:badlogic:pi-mono), which appears to be used for workflow automation and integration services.

RemediationAI

No vendor-released patch identified at time of analysis. The vendor did not respond to disclosure contact. Immediate remediation requires one of the following approaches: (1) Disable the pi-mom Slack Bot component if not actively required for operations; (2) Implement network-level access controls to restrict Slack API token usage and channel routing based on organizational policy; (3) Monitor and audit all Slack Bot authentication events and channel-switching activities for anomalous patterns. If future patched versions become available, upgrade pi-mono to the latest patched release immediately. In the interim, apply principle of least privilege to any service accounts used for Slack Bot integration and restrict access to the Slack workspace itself. For additional technical details and to track vendor response, consult the VulDB advisory at https://vuldb.com/vuln/355327 and monitor the public disclosure discussion at https://github.com/August829/CVEP/issues/28.

Share

CVE-2026-5557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy