Description
Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only permissions. This vulnerability is fixed in 0.78.1.
Published: 2026-06-23
Score: 2.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in Pi’s file write logic allows a brief period during which the auth.json file, which stores API keys and OAuth credentials, may be created or overwritten with permissions derived from the process umask rather than the intended owner‑only setting. This window can expose sensitive credentials to other users on the same system while Pi is running, constituting an information disclosure vulnerability.

Affected Systems

Version 0.74.0 through 0.78.0 of Pi, a minimal terminal coding harness from earendil‑works, are affected. All binaries released under those version numbers that write to auth.json are vulnerable.

Risk and Exploitability

The CVSS score of 2.2 indicates low severity, and no EPSS data or KEV listing suggests exploitation is unlikely. The likely attack vector is a local actor who can trigger a write to auth.json, such as a user running Pi or a malicious code injection that invokes Pi’s write path. The flaw requires local access; remote exploitation is not described in the CVE data.

Generated by OpenCVE AI on June 24, 2026 at 10:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pi to version 0.78.1 or later, where the race condition and permission handling have been corrected.
  • If an upgrade is not immediately possible, ensure that the auth.json file is set to permissions 0600 immediately after creation or after the write operation, using a secure file creation method or a post‑write permission fix.
  • Configure the Pi process to run with an umask of 077 (or similar owner‑only default) so that any newly created files inherit secure permissions, reducing the window the race condition can exploit.

Generated by OpenCVE AI on June 24, 2026 at 10:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r95r-rj6r-c39x Pi Agent: Race condition in Pi auth.json writes could expose stored credentials
History

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Earendil-works
Earendil-works pi
Vendors & Products Earendil-works
Earendil-works pi

Tue, 23 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only permissions. This vulnerability is fixed in 0.78.1.
Title Pi: Race condition in auth.json writes could expose stored credentials
Weaknesses CWE-367
CWE-732
References
Metrics cvssV3_1

{'score': 2.2, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N'}


Subscriptions

Earendil-works Pi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:09:58.763Z

Reserved: 2026-06-12T18:42:02.224Z

Link: CVE-2026-54327

cve-icon Vulnrichment

Updated: 2026-06-26T18:09:54.757Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:05:35Z

Weaknesses
  • CWE-367

    Time-of-check Time-of-use (TOCTOU) Race Condition

  • CWE-732

    Incorrect Permission Assignment for Critical Resource