CVE-2026-30304 - Vulnerability Details

Description

In its design for automatic terminal command execution, AI Code offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.

Published: 2026-03-27

Score: 9.6 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker to craft prompts that trick the AI Code model into classifying malicious commands as "safe," thereby bypassing the user approval step and executing arbitrary shell commands. This results in remote code execution, enabling attackers to gain full control over the system hosting the AI Code environment and potentially exfiltrate data, persist malware, or disrupt services. The weakness corresponds to an OS command injection flaw, where input validation is insufficient to prevent malicious instructions.

Affected Systems

Any installation of AI Code that relies on its automatic terminal command execution feature is affected, as the vulnerability exists in the design of the safe command decision logic rather than in a specific vendor or version. Systems that permit user input to influence the model’s output—including IDE extensions or custom integrations—are at risk if they enable auto‑execution of safe commands.

Risk and Exploitability

The flaw carries a high risk score due to the ability to execute arbitrary commands with administrative privileges. No EPSS score or KEV listing is available, but the potential impact and the ease of triggering via prompt injection suggest a significant likelihood of exploitation. The attack vector is inferred to be through any interface that accepts user prompts for the AI model; an attacker only needs to supply a crafted prompt that misleads the model into classifying destructive commands as safe.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Disable automatic safe command execution or enforce user approval for every command.
Implement a strict whitelist or sandbox for each executable command and validate user prompts against it.
Apply any vendor updates or patches when released to address the prompt‑injection flaw.
Audit and log all command executions for signs of abuse.
Conduct regular security reviews of the AI prompt handling code to ensure input validation remains robust.

Generated by OpenCVE AI on March 27, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/2
https://marketplace.visualstudio.com/items?itemName=tianguaduizhang.claude-dev-china

History

Fri, 27 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Title		AI Code Prompt Injection Leading to Arbitrary Command Execution
Weaknesses		CWE-20 CWE-78
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Fri, 27 Mar 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		In its design for automatic terminal command execution, AI Code offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.
References		https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/2 https://marketplace.visualstudio.com/items?itemName=tianguaduizhang.claude-dev-china

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-27T00:00:00.000Z

Updated: 2026-03-27T19:48:56.483Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30304

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-27T15:16:53.263

Modified: 2026-03-27T20:16:28.360

Link: CVE-2026-30304

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T20:29:04Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object