CVSS 7.3 HIGH
Vulnerability
CVE-2026-54328: Pi Agent: Predictable temporary extension install paths allow local privilege escalation…
Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts Pi versions with temporary npm or git extension package installs used predictable paths under the operating system tem…
7.3CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type
📋 Vulnerability Details
| CVE ID | CVE-2026-54328 |
| Vendor | npm |
| Affected Product | @earendil-works/pi-coding-agent |
| Vulnerability Type | Vulnerability |
| CVSS Score | 7.3 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
🔬 Technical Analysis
Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary directory could prepare the expected package location before another user runs pi with a temporary extension package source. Pi could then load attacker-controlled extension code in the victim user's process.
Info The vulnerable code path affected temporary extension package sources loaded with --extension or -e, specifically npm and git package sources. The temporary npm install root and temporary git clone paths were deterministic and rooted under `os.tmpdir
⚡ DETECTION RULES AVAILABLE
Get CVE-2026-54328 Detection Pack
Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.
✓ Sigma Rules
✓ YARA Pack
✓ IOC Table
✓ SIEM Queries
🛡️ Get Detection Pack →
🔌 Access via API →