CVE-2026-54327

Description

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only permissions. This vulnerability is fixed in 0.78.1.

CVSS breakdown

CVSS 3.1

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected products

earendil-works / pi>= 0.74.0, < 0.78.1 – >= 0.74.0, < 0.78.1

References

VENDOR_ADVISORYhttps://github.com/earendil-works/pi/security/advisories/GHSA-r95r-rj6r-c39x
PATCHhttps://github.com/earendil-works/pi/commit/135fb545f99106a4a249274f129b90bc0a77d347
PATCHhttps://github.com/earendil-works/pi/releases/tag/v0.78.1