CVE Catalog

CVE-2026-54327

LowCVSS 2.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.07%

0th percentile — higher than 0% of all known CVEs

Summary

Pi, a minimal terminal coding harness, from version 0.74.0 to 0.78.1 stores API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only permissions.

Risk Assessment

The risk is that for a short period, the file containing sensitive credentials may be accessible to other system users, potentially leading to the leakage of API keys and OAuth tokens.

Recommendation

Immediately update Pi to version 0.78.1 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only permissions. This vulnerability is fixed in 0.78.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS