Summary
Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts
Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a local attacker who can write to the shared temporary directory could prepare the expected package location before another user runs pi with a temporary extension package source. Pi could then load attacker-controlled extension code in the victim user's process.
Info
The vulnerable code path affected temporary extension package sources loaded with --extension or -e, specifically npm and git package sources. The temporary npm install root and temporary git clone paths were deterministic and rooted under os.tmpdir()/pi-extensions. The path was derived from public source information rather than from a per-user private directory or an unpredictable temporary directory.
During resource resolution, pi considered an npm package or git checkout present if the expected package path already existed. Extension resources discovered from that package location were then loaded by the extension loader. Because extensions execute with the same privileges as the invoking pi process, pre-created temporary package contents could execute as the victim user.
The issue primarily affects Linux-based multi-user hosts where the operating system temporary directory is shared across user accounts, such as shared development machines, CI runners, HPC login nodes, and similar environments. On Windows and macOS, the default temporary directory is typically user-scoped, so default configurations are not expected to be affected unless the temporary directory is overridden to a shared writable location.
Affected versions
@earendil-works/pi-coding-agent: affected>= 0.74.0, < 0.78.1; patched>= 0.78.1@mariozechner/pi-coding-agent: affected>= 0.50.0, <= 0.73.1; no patched version was released under the old package name. Migrate to@earendil-works/pi-coding-agent >= 0.78.1.
The solution
Version 0.78.1 moves temporary extension package installs to a private per-user directory under ~/.pi/agent/tmp/extensions and enforces 0700 permissions on that directory. The same release also hardens git package source path handling so managed clone paths remain inside their intended install roots.
Recommendations
Upgrade to @earendil-works/pi-coding-agent version 0.78.1 or later. Users of the deprecated @mariozechner/pi-coding-agent package should migrate to the @earendil-works/pi-coding-agent package and upgrade to a fixed version.
On shared Linux hosts, avoid using temporary npm or git extension package sources with vulnerable versions. Review any third-party extensions before loading them, because pi extensions run with full access to the invoking user's account.
Workarounds
If upgrading immediately is not possible, avoid --extension or -e with npm or git package sources on shared Linux systems. As an additional mitigation for vulnerable versions, configure the process temporary directory environment to point at a directory owned by the invoking user with 0700 permissions before starting pi.
Timeline
- 2026-05-29: Report received
- 2026-06-02: Fix committed
- 2026-06-04: Fixed version 0.78.1 released
- 2026-06-08: Advisory prepared for publication
Credits
Reported by Paul Urian and Cosmin Alexa of CrowdStrike.
Impact
A local attacker with access to the same host can exploit this only if a victim runs a vulnerable pi version with a temporary npm or git extension package source that maps to the attacker-prepared location. No network attack path is involved and no race must be won, but victim interaction is required.
Successful exploitation can allow arbitrary extension code execution as the victim user. This can expose or modify files accessible to that user and can also cause denial of service or data loss through malicious package contents or unsafe temporary cache entries.
CVE-2026-54328 has a CVSS score of 7.3 (High). The vector is requires local access, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.78.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-54328? CVE-2026-54328 is a high-severity security vulnerability in @earendil-works/pi-coding-agent (npm), affecting versions >= 0.74.0, < 0.78.1. It is fixed in 0.78.1.
- How severe is CVE-2026-54328? CVE-2026-54328 has a CVSS score of 7.3 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by CVE-2026-54328?
@earendil-works/pi-coding-agent(npm) (versions >= 0.74.0, < 0.78.1)@mariozechner/pi-coding-agent(npm) (versions >= 0.50.0, <= 0.73.1)
- Is there a fix for CVE-2026-54328? Yes. CVE-2026-54328 is fixed in 0.78.1. Upgrade to this version or later.
- Is CVE-2026-54328 exploitable, and should I be worried? Whether CVE-2026-54328 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-54328 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-54328? Upgrade
@earendil-works/pi-coding-agentto 0.78.1 or later.