Description
A vulnerability was identified in Aider-AI Aider 0.86.3. Affected is an unknown function of the file aider/args.py of the component Pre-commit Hook Handler. Such manipulation of the argument git-commit-verify leads to protection mechanism failure. The attack may be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Aider‑AI Aider 0.86.3 contains a flaw in the pre‑commit hook handler within aider/args.py. By manipulating the "git‑commit‑verify" argument, an attacker can subvert the intended protection mechanism, allowing unauthorized or malicious changes to be applied through Git commit operations. The vulnerability is classified as protection mechanism failure (CWE‑693) and does not directly grant code execution, but it threatens repository integrity and could facilitate tampering with code history.

Affected Systems

The only product explicitly listed as vulnerable is the Aider‑AI Aider repository, version 0.86.3. No other versions or components are mentioned in the CVE data as affected.

Risk and Exploitability

The listed CVSS score of 5.3 represents moderate severity, and EPSS data is not available. The vulnerability is not in the CISA KEV catalog. Because the exploit is publicly available and the attack vector can be exercised remotely—likely via a crafted Git commit containing the malicious argument—an adversary need not have local access. The absence of a vendor patch at the time of reporting creates uncertainty about current mitigation, but the moderate severity and public exploitability suggest that the issue warrants immediate attention.

Generated by OpenCVE AI on May 31, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Aider to a version that includes a fixed protection mechanism once the vendor releases a patch, or contact Aider support for confirmation of a fix.
  • Disable the pre‑commit hook that relies on the "git‑commit‑verify" argument until a corrective update is available, preventing the flaw from being triggered.
  • Restrict the "git‑commit‑verify" argument so it can only be supplied by trusted scripts or privileged users, limiting the ability for untrusted input to influence the hook.
  • Implement repository‑side controls such as signed‑commit enforcement or a pre‑flight compliance check to identify and reject commits altered by the flawed hook.

Generated by OpenCVE AI on May 31, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 31 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in Aider-AI Aider 0.86.3. Affected is an unknown function of the file aider/args.py of the component Pre-commit Hook Handler. Such manipulation of the argument git-commit-verify leads to protection mechanism failure. The attack may be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Title Aider-AI Aider Pre-commit Hook args.py protection mechanism
First Time appeared Aider-ai
Aider-ai aider
Weaknesses CWE-693
CPEs cpe:2.3:a:aider-ai:aider:*:*:*:*:*:*:*:*
Vendors & Products Aider-ai
Aider-ai aider
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Aider-ai Aider
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-31T08:00:11.079Z

Reserved: 2026-05-30T16:15:34.862Z

Link: CVE-2026-10174

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-31T09:16:14.250

Modified: 2026-05-31T09:16:14.250

Link: CVE-2026-10174

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-31T11:00:10Z

Weaknesses