earendil-works pi up to 0.78.0 auth.json toctou

Summaryinfo

A vulnerability has been found in earendil-works pi up to 0.78.0 and classified as problematic. This impacts an unknown function of the file auth.json. The manipulation leads to toctou. This vulnerability is traded as CVE-2026-54327. An attack has to be approached locally. There is no exploit available. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in earendil-works pi up to 0.78.0 and classified as problematic. This issue affects an unknown part of the file auth.json. The manipulation with an unknown input leads to a toctou vulnerability. Using CWE to declare the problem leads to CWE-367. The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state. Impacted is confidentiality. The summary by CVE is:

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only permissions. This vulnerability is fixed in 0.78.1.

It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2026-54327 since 06/12/2026. The exploitation is known to be difficult. Attacking locally is a requirement. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit.

By approaching the search of inurl:auth.json it is possible to find vulnerable targets with Google Hacking.

Upgrading to version 0.78.1 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 135fb545f99106a4a249274f129b90bc0a77d347 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Vendor

• earendil-works

Name

• pi

Version

• 0.1
• 0.2
• 0.3
• 0.4
• 0.5
• 0.6
• 0.7
• 0.8
• 0.9
• 0.10
• 0.11
• 0.12
• 0.13
• 0.14
• 0.15
• 0.16
• 0.17
• 0.18
• 0.19
• 0.20
• 0.21
• 0.22
• 0.23
• 0.24
• 0.25
• 0.26
• 0.27
• 0.28
• 0.29
• 0.30
• 0.31
• 0.32
• 0.33
• 0.34
• 0.35
• 0.36
• 0.37
• 0.38
• 0.39
• 0.40
• 0.41
• 0.42
• 0.43
• 0.44
• 0.45
• 0.46
• 0.47
• 0.48
• 0.49
• 0.50
• 0.51
• 0.52
• 0.53
• 0.54
• 0.55
• 0.56
• 0.57
• 0.58
• 0.59
• 0.60
• 0.61
• 0.62
• 0.63
• 0.64
• 0.65
• 0.66
• 0.67
• 0.68
• 0.69
• 0.70
• 0.71
• 0.72
• 0.73
• 0.74
• 0.75
• 0.76
• 0.77
• 0.78.0

License

• open-source

Website

• Product: https://github.com/earendil-works/pi/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion