CVE-2026-54325: Pi Agent: Pi loads project-local extensions without approval
Exploitation requires user interaction: the attacker must get a user to open or otherwise work in an attacker-controlled repository and start Pi there. The attacker does not need an account on the user’s machine or prior privileges in Pi.
If exploited, project-local extension code runs with the same permissions as the user running Pi. It can access files, environment variables, credentials available to the process, the network, and local tools available to that user. In CVSS terms, this advisory rates the impact as limited confidentiality and integrity impact without a distinct availability impact because exploitation requires local user action in an untrusted repository and does not cross a privilege boundary.
This risk is most relevant for users who run Pi in repositories they have not reviewed or do not trust. Pi’s security guidance requires users to trust the codebases they work with, or to use an external sandbox or isolation boundary for untrusted repositories.
References
- github.com/advisories/GHSA-mqxh-6gq7-558m
- github.com/earendil-works/pi/commit/38f18be44727e669eb0a6e2eb8edb51b0232d83c
- github.com/earendil-works/pi/commit/718215bd95b6fc6fa251580d27ea8aab857de390
- github.com/earendil-works/pi/commit/89a92207f1c9303d53d822fd9b0ac21578834cb4
- github.com/earendil-works/pi/commit/ce3a72444e1cc1eaa50475fb3378c7ffbb53ef49
- github.com/earendil-works/pi/commit/ff3e9df5f5b32368c20b0ef553a6834b3dee9350
- github.com/earendil-works/pi/releases/tag/v0.79.0
- github.com/earendil-works/pi/security/advisories/GHSA-mqxh-6gq7-558m
- nvd.nist.gov/vuln/detail/CVE-2026-54325
Code Behaviors & Features
Detect and mitigate CVE-2026-54325 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →