CVE-2026-25130
published 2026-01-30CVE-2026-25130: Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument…
PriorityP268critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EXPLOIT
EPSS
0.80%
52.0th percentile
Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()` with `shell=True`, allowing attackers to execute arbitrary commands on the host system. The `find_file()` tool executes without requiring user approval because find is considered a "safe" pre-approved command. This means an attacker can achieve Remote Code Execution (RCE) by injecting malicious arguments (like -exec) into the args parameter, completely bypassing any human-in-the-loop safety mechanisms. Commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contains a fix.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aliasrobotics | cai | <= 0.5.10 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Flag calls to subprocess.Popen() with shell=True where user-controlled input is passed directly as arguments — the primary sink for this injection vulnerability. ↗
- →Monitor invocations of the find_file() tool with arguments containing shell metacharacters or -exec flags, as this tool bypasses human-in-the-loop approval and executes without user confirmation. ↗
- ·The vulnerability is fully patched at commit e22a1220f764e2d7cf9da6d6144926f53ca01cde; deployments running cai-framework versions up to and including 0.5.10 remain vulnerable and should be upgraded immediately. ↗
- ·The find_file() tool is pre-approved as 'safe' within the CAI framework's human-in-the-loop mechanism, meaning exploitation via argument injection into this tool requires no user interaction or approval, elevating the effective exploitability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CAI find_file Agent Tool has Command Injection Vulnerability Through Argument Injection
osv·2026-01-30
CVE-2026-25130 [CRITICAL] CAI find_file Agent Tool has Command Injection Vulnerability Through Argument Injection
CAI find_file Agent Tool has Command Injection Vulnerability Through Argument Injection
## Summary
The CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()` with `shell=True`, allowing attackers to execute arbitrary commands on the host system.
## Vulnerable Component
**Function:** `find_file()` in `src/cai/tools/reconnaissance/filesystem.py` [code](https://github.com/aliasrobotics/cai/blob/559de8fcbc2b44f3b0360f35ffdc2bb975e7d7e4/src/cai/tools/reconnaissance/filesystem.py#L60)
```python
@function_tool
def find_file(file_path: str, args: str = "", ctf=None) -> str:
command = f'find {file_path} {args}' # No sanitization
return run_command(command, c
GHSA
CAI find_file Agent Tool has Command Injection Vulnerability Through Argument Injection
ghsa·2026-01-30
CVE-2026-25130 [CRITICAL] CWE-78 CAI find_file Agent Tool has Command Injection Vulnerability Through Argument Injection
CAI find_file Agent Tool has Command Injection Vulnerability Through Argument Injection
## Summary
The CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()` with `shell=True`, allowing attackers to execute arbitrary commands on the host system.
## Vulnerable Component
**Function:** `find_file()` in `src/cai/tools/reconnaissance/filesystem.py` [code](https://github.com/aliasrobotics/cai/blob/559de8fcbc2b44f3b0360f35ffdc2bb975e7d7e4/src/cai/tools/reconnaissance/filesystem.py#L60)
```python
@function_tool
def find_file(file_path: str, args: str = "", ctf=None) -> str:
command = f'find {file_path} {args}' # No sanitization
return run_command(command, c
No detection rules found.
2026-01-30
Published