Description
A weakness has been identified in Aider-AI Aider 0.86.3. Affected by this issue is some unknown functionality of the component Code Generation Workflow. Executing a manipulation can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw in the Code Generation Workflow of Aider-AI Aider version 0.86.3. By crafting a malicious payload through the workflow, an attacker can inject arbitrary SQL statements that the application will execute against its database. The impact includes unauthorized data access, manipulation of existing records, and potential denial of service if destructive queries are run. The description notes that the attack can be executed remotely and that a public exploit is available, indicating that no special access or privileged credentials are required to exploit the flaw.

Affected Systems

Aider-AI’s Aider application, specifically the 0.86.3 release. No other versions or patches are listed as affected, so only this build is confirmed to contain the flaw.

Risk and Exploitability

With a CVSS score of 5.3, the risk is classified as moderate. While the EPSS score is not available, the fact that the exploit is publicly available and can be launched remotely means that an attacker can act without prior compromise. The flaw is not listed in CISA’s KEV catalog, but its remote nature and public exploit code increase the likelihood of real-world attacks. The overall risk is moderate to high in environments that expose the Code Generation Workflow to untrusted users.

Generated by OpenCVE AI on May 31, 2026 at 11:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Aider to the latest release once a patch for the 0.86.3 vulnerability becomes available.
  • If an update cannot be applied immediately, restrict access to the Code Generation Workflow so that only trusted users or internal networks can invoke it.
  • Ensure that all user-supplied input passed to SQL statements is sanitized and that prepared statements with parameterized queries are used, following best practices for preventing SQL injection flaws.

Generated by OpenCVE AI on May 31, 2026 at 11:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 31 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Aider-AI Aider 0.86.3. Affected by this issue is some unknown functionality of the component Code Generation Workflow. Executing a manipulation can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title Aider-AI Aider Code Generation Workflow sql injection
First Time appeared Aider-ai
Aider-ai aider
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:aider-ai:aider:*:*:*:*:*:*:*:*
Vendors & Products Aider-ai
Aider-ai aider
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Aider-ai Aider
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-31T09:00:13.581Z

Reserved: 2026-05-30T16:21:42.889Z

Link: CVE-2026-10176

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-31T10:16:17.103

Modified: 2026-05-31T10:16:17.103

Link: CVE-2026-10176

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-31T11:30:16Z

Weaknesses