Description
In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe commands and Execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.
Published: 2026-03-30
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Command Execution
Action: Apply Fix
AI Analysis

Impact

The vulnerability arises from a prompt injection flaw in the HAI Build Code Generator that causes the language model to incorrectly flag malicious shell instructions as "safe". Attackers can craft prompts that deceive the model into believing a destructive command is harmless, triggering automatic execution without user consent. This weakness is identified as CWE-94, an instance of code injection that permits arbitrary code execution on the host system.

Affected Systems

The affected product is Presidio’s HAI Build Code Generator. All releases incorporating the automatic command‑execution feature are potentially vulnerable, as no specific version data is provided. Users of the tool should assume all current installations are at risk until a fix is applied.

Risk and Exploitability

The CVSS base score of 9.8 marks the flaw as critical, yet the EPSS score of less than 1% indicates that exploitation events are currently rare. The vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed widespread exploitation to date. The likely attack vector, inferred from the description, is a prompt injection via the code‑generation interface, where a crafted user input leads the model to invoke unintended terminal commands.

Generated by OpenCVE AI on April 8, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable the ‘Execute all commands’ mode and rely solely on the safe‑command option whenever possible.
  • Restrict use of the generator to trusted authorized users and enforce least‑privilege access controls.
  • Run the tool inside a sandbox or isolated environment to contain any potential damage.
  • Implement logging and monitoring of all executed commands to detect anomalous activity.
  • Follow Presidio’s repository or contact the maintainer for a patch, and apply it as soon as it becomes available.

Generated by OpenCVE AI on April 8, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title Prompt Injection Enables Arbitrary Command Execution in HAI Build Code Generator

Wed, 08 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Presidio
Presidio hai Build
CPEs cpe:2.3:a:presidio:hai_build:*:*:*:*:*:*:*:*
Vendors & Products Presidio
Presidio hai Build

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Prompt Injection Enables Arbitrary Command Execution in HAI Build Code Generator
First Time appeared Presidio-oss
Presidio-oss hai Build
Vendors & Products Presidio-oss
Presidio-oss hai Build

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Title Auto Command Execution Enables Remote Code Execution via Prompt Injection
Weaknesses CWE-77

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Title Auto Command Execution Enables Remote Code Execution via Prompt Injection
Weaknesses CWE-77

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Description In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe commands and Execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.
References

Subscriptions

Presidio Hai Build
Presidio-oss Hai Build
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-01T18:00:06.982Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30308

cve-icon Vulnrichment

Updated: 2026-04-01T17:59:52.782Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T21:17:09.107

Modified: 2026-04-08T15:44:35.610

Link: CVE-2026-30308

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:00:48Z

Weaknesses