CVE-2026-54327

LOW 2.2

Pi: Race condition in auth.json writes could expose stored credentials

CVSS Score

2.2

EPSS Score

0.0%

EPSS Percentile

0th

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only permissions. This vulnerability is fixed in 0.78.1.

CWE	CWE-367 CWE-732
Vendor	earendil-works
Product	pi
Published	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for earendil-works pi

Be the first to know when new low vulnerabilities affecting earendil-works pi are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Affected Versions

earendil-works / pi

>= 0.74.0, < 0.78.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/earendil-works/pi/security/advisories/GHSA-r95r-rj6r-c39x github.com: https://github.com/earendil-works/pi/commit/135fb545f99106a4a249274f129b90bc0a77d347 github.com: https://github.com/earendil-works/pi/releases/tag/v0.78.1