Description
Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary directory could prepare the expected package location before another user runs pi with a temporary extension package source. Pi could then load attacker-controlled extension code in the victim user's process. This vulnerability is fixed in 0.78.1.
Published: 2026-06-23
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary directory could prepare the expected package location before another user runs pi with a temporary extension package source. Pi could then load attacker‑controlled extension code in the victim user's process, allowing the attacker to execute code in that context and potentially elevate privileges within that user’s account. The flaw is due to the predictable temporary file path usage (CWE‑379). The vulnerability was fixed in version 0.78.1.

Affected Systems

The affected product is the Pi terminal coding harness from earendil‑works. Any installation of Pi between versions 0.74.0 and 0.78.1 inclusive is vulnerable, and the fix is available in version 0.78.1 and later.

Risk and Exploitability

The CVSS score is 7.3, and the exploit probability is unknown due to missing EPSS data. The vulnerability is not listed in CISA KEV. The likely attack vector is local: an attacker must be able to write to the system temporary directory on a multi‑user Linux host. Once the attacker writes a malicious package into the predictable path, Pi will load the code as an extension, leading to local privilege escalation without requiring any additional privileges or network interaction.

Generated by OpenCVE AI on June 24, 2026 at 10:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pi to version 0.78.1 or later to eliminate the predictable temporary path usage
  • Configure the operating system to restrict write permission to the temporary directory (e.g., set /tmp to not allow write by other users or use a per‑user temporary path)
  • If immediate upgrade is not possible, monitor for unauthorized packages in the temporary directory and remove any that match the expected naming pattern used by Pi before execution

Generated by OpenCVE AI on June 24, 2026 at 10:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jfgx-wxx8-mp94 Pi Agent: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts
History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Earendil-works
Earendil-works pi
Vendors & Products Earendil-works
Earendil-works pi

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary directory could prepare the expected package location before another user runs pi with a temporary extension package source. Pi could then load attacker-controlled extension code in the victim user's process. This vulnerability is fixed in 0.78.1.
Title Pi: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts
Weaknesses CWE-379
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

Earendil-works Pi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T13:38:04.242Z

Reserved: 2026-06-12T18:42:02.224Z

Link: CVE-2026-54328

cve-icon Vulnrichment

Updated: 2026-06-24T13:37:56.654Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:05:39Z

Weaknesses
  • CWE-379

    Creation of Temporary File in Directory with Insecure Permissions