Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only permissions. This vulnerability is fixed in 0.78.1.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

No data.

No data.

No data.

No data.

References
Link Providers
https://github.com/earendil-works/pi/commit/135fb545f99106a4a249274f129b90bc0a77d347 cve-icon
https://github.com/earendil-works/pi/releases/tag/v0.78.1 cve-icon
https://github.com/earendil-works/pi/security/advisories/GHSA-r95r-rj6r-c39x cve-icon
History

Tue, 23 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description Pi is a minimal terminal coding harness. From 0.74.0 until 0.78.1, Pi stored API keys and OAuth credentials in auth.json. A race condition in the file write path could briefly create or rewrite this file with permissions derived from the process umask before tightening the file to owner-only permissions. This vulnerability is fixed in 0.78.1.
Title Pi: Race condition in auth.json writes could expose stored credentials
Weaknesses CWE-367
CWE-732
References
Metrics cvssV3_1

{'score': 2.2, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T19:28:22.503Z

Reserved: 2026-06-12T18:42:02.224Z

Link: CVE-2026-54327

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.