Skip to main content

EUVDEUVD-2026-17204

| CVE-2026-30308 CRITICAL
Code Injection (CWE-94)
2026-03-30 mitre GHSA-gr6f-xx69-hrgq
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 30, 2026 - 21:00 euvd
EUVD-2026-17204
Analysis Generated
Mar 30, 2026 - 21:00 vuln.today
CVE Published
Mar 30, 2026 - 00:00 nvd
CRITICAL 9.8

DescriptionCVE.org

In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe commands and Execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.

AnalysisAI

HAI Build Code Generator's automatic command execution feature can be bypassed through prompt injection attacks, allowing unauthenticated remote code execution by misleading the AI model into misclassifying malicious commands as safe. The vulnerability exploits a fundamental design flaw in the model's safety classification logic, where attackers can wrap destructive commands in generic templates to bypass the user approval requirement that should be triggered for potentially dangerous operations.

Technical ContextAI

HAI Build Code Generator implements an AI-driven command execution system that relies on language model inference to classify commands as either safe (auto-execute) or potentially destructive (require user approval). The vulnerability stems from the inherent susceptibility of large language models to prompt injection attacks-a class of attacks where specially crafted input prompts manipulate model behavior beyond intended parameters. The system's trust in model-based classification without cryptographic validation or sandbox isolation creates a single point of failure. This is a classic example of CWE-94 (Code Injection) and CWE-20 (Improper Input Validation), where the system fails to validate that user-supplied command templates are benign before submitting them to the AI model for classification.

RemediationAI

The primary remediation requires architectural redesign of the command execution safety mechanism. Instead of relying solely on AI model classification, implement a curated allowlist of genuinely safe commands that can be auto-executed, with all other commands requiring explicit user approval regardless of model judgment. For immediate risk reduction: disable automatic command execution entirely and require explicit user confirmation for all commands, or restrict command execution to a read-only sandbox environment where command output is captured but system-level side effects are prevented. Users should review the HAI Build project repository (https://github.com/presidio-oss/hai-build) and the LLM Tool-Calling CVEs tracking repository (https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/10) for any published patches or mitigation guidance. No vendor-released patch has been independently confirmed at the time of this analysis.

Share

EUVD-2026-17204 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy