Description
Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only permissions. This vulnerability is fixed in 0.78.1.
Analysis
No analysis available yet.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| earendil-works | pi | affected |
|
No data.
No data.
No data available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 Github GHSA |
GHSA-r95r-rj6r-c39x | Pi Agent: Race condition in Pi auth.json writes could expose stored credentials |
References
History
Tue, 23 Jun 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only permissions. This vulnerability is fixed in 0.78.1. | |
| Title | Pi: Race condition in auth.json writes could expose stored credentials | |
| Weaknesses | CWE-367 CWE-732 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-23T19:28:22.503Z
Reserved: 2026-06-12T18:42:02.224Z
Link: CVE-2026-54327
Vulnrichment
No data.
NVD
No data.
Redhat
No data.
OpenCVE Enrichment
No data.