Description
Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()` with `shell=True`, allowing attackers to execute arbitrary commands on the host system. The `find_file()` tool executes without requiring user approval because find is considered a "safe" pre-approved command. This means an attacker can achieve Remote Code Execution (RCE) by injecting malicious arguments (like -exec) into the args parameter, completely bypassing any human-in-the-loop safety mechanisms. Commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contains a fix.
Published: 2026-01-30
Score: 9.7 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The CAI framework allows untrusted input to be passed unchanged to a shell command through subprocess.Popen with shell=True, enabling an attacker to inject arbitrary arguments such as "-exec" into the find_file tool. This results in Remote Code Execution on the host system, bypassing any human-in-the-loop safety mechanisms, and can compromise confidentiality, integrity, and availability of the platform. The weakness is a classic command injection scenario (CWE-78).

Affected Systems

The vulnerability affects the aliasrobotics Cybersecurity AI (CAI) framework, versions up to and including 0.5.10. Users running these releases should verify the current commit hash against the patched revision highlighted in the advisory.

Risk and Exploitability

With a CVSS score of 9.7 and an EPSS of less than 1%, the exploit potential is high but relatively uncommon. The issue is not listed in the CISA KEV catalog. The likely attack vector involves supplying malicious arguments to the find_file tool, either through local user input if the tool is used directly or via a remote actor who can influence the input passed to CAI. No obvious prerequisites beyond the ability to control the argument list are required.

Generated by OpenCVE AI on April 18, 2026 at 01:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from commit e22a1220f764e2d7cf9da6d6144926f53ca01cde or upgrade to a CAI release that incorporates this fix.
  • If an immediate upgrade is not feasible, disable the find_file tool or limit its execution to trusted, audited users to eliminate the attack surface.
  • Audit the framework for any additional subprocess.Popen invocations with shell=True and replace them with safe, argument-array usage or enforce strict input sanitization.

Generated by OpenCVE AI on April 18, 2026 at 01:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jfpc-wj3m-qw2m CAI find_file Agent Tool has Command Injection Vulnerability Through Argument Injection
History

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Aliasrobotics
Aliasrobotics cai
Vendors & Products Aliasrobotics
Aliasrobotics cai

Mon, 02 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
Description Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()` with `shell=True`, allowing attackers to execute arbitrary commands on the host system. The `find_file()` tool executes without requiring user approval because find is considered a "safe" pre-approved command. This means an attacker can achieve Remote Code Execution (RCE) by injecting malicious arguments (like -exec) into the args parameter, completely bypassing any human-in-the-loop safety mechanisms. Commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contains a fix.
Title Cybersecurity AI vulnerable to command Injection through argument injection in find_file Agent tool
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Aliasrobotics Cai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-02T18:01:06.518Z

Reserved: 2026-01-29T14:03:42.540Z

Link: CVE-2026-25130

cve-icon Vulnrichment

Updated: 2026-02-02T18:01:01.143Z

cve-icon NVD

Status : Deferred

Published: 2026-01-30T21:15:58.443

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25130

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T01:15:05Z

Weaknesses