Race Condition Vulnerability in Pi Terminal Coding Harness by Earendil Works
CVE-2026-54327

2.2LOW

Key Information:

Vendor

Earendil-works

Status
Pi
Vendor
CVE Published:
23 June 2026

What is CVE-2026-54327?

The Pi terminal coding harness versions 0.74.0 to 0.78.1 are affected by a race condition that may expose sensitive API keys and OAuth credentials stored in an auth.json file. When writing this file, the permissions can briefly allow access based on the process umask, which can result in unauthorized users reading these credentials before they are secured to owner-only access. This vulnerability has been addressed in version 0.78.1.

Affected Version(s)

pi >= 0.74.0, < 0.78.1

References

https://github.com/earendil-works/pi/security/advisories/...
x_refsource_CONFIRM
https://github.com/earendil-works/pi/commit/135fb545f9910...
x_refsource_MISC
https://github.com/earendil-works/pi/releases/tag/v0.78.1
x_refsource_MISC

CVSS V3.1

Score:
2.2
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.