CVE-2026-54327: Pi Agent: Race condition in Pi auth.json writes could expose stored credentials

June 17, 2026

Exploitation requires local access to the same machine and read/traverse access to the victim’s Pi agent configuration directory. Users whose ~/.pi/agent directory is private to their account are less exposed. The main impact is disclosure of stored provider credentials, which may allow use of the configured provider accounts according to the privileges of those credentials.

This is not remotely exploitable by itself.

References

github.com/advisories/GHSA-r95r-rj6r-c39x
github.com/earendil-works/pi/commit/135fb545f99106a4a249274f129b90bc0a77d347
github.com/earendil-works/pi/releases/tag/v0.78.1
github.com/earendil-works/pi/security/advisories/GHSA-r95r-rj6r-c39x
nvd.nist.gov/vuln/detail/CVE-2026-54327

Code Behaviors & Features

Detect and mitigate CVE-2026-54327 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →