CVE-2026-54328 PUBLISHED

Pi: Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts

Assigner: GitHub_M
Reserved: 12.06.2026 Published: 23.06.2026 Updated: 24.06.2026

Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary directory could prepare the expected package location before another user runs pi with a temporary extension package source. Pi could then load attacker-controlled extension code in the victim user's process. This vulnerability is fixed in 0.78.1.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 7.3

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	Required	Availability Impact	High

CVSS 3.1

Product Status

Vendor	earendil-works
Product	pi
Versions	Version >= 0.74.0, < 0.78.1 is affected

References

Problem Types

CWE-379: Creation of Temporary File in Directory with Insecure Permissions CWE