CVE-2026-31236
published 2026-05-12CVE-2026-31236: The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.33%
24.4th percentile
The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec() function without any sanitization, sandboxing, or security restrictions. An attacker can exploit this by crafting a malicious llm command with arbitrary Python code in the --functions argument and using social engineering to trick a victim into running it. This leads to arbitrary code execution on the victim's system, potentially granting the attacker full control.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for execution of the `llm` CLI tool with the `--functions` argument, especially when the argument contains Python code constructs (e.g., import statements, os/subprocess calls, eval/exec patterns). ↗
- →Alert on process command lines where `llm` is invoked with `--functions` containing shell/OS interaction keywords such as `os`, `subprocess`, `socket`, `open`, or `__import__`. ↗
- →Flag use of the `llm` CLI tool at versions 0.27.1 and below (packages: `python-llm`, `python-llm-echo`) as potentially vulnerable to this code injection. ↗
- ·The vulnerability requires social engineering; the attacker must trick a victim into manually running a crafted `llm` command. There is no known remote/unauthenticated exploitation path without user interaction. ↗
- ·Red Hat OpenShift AI (RHOAI) package `rhoai/odh-model-controller-rhel9` is explicitly marked Not Affected; scope detection efforts to environments where the `llm` CLI is directly installed and user-accessible. ↗
- ·Community package trackers (python-llm, python-llm-echo on Fedora) are best-effort; package maintainers must independently confirm whether their specific build is affected before patching. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
llm CLI tool up to 0.27.1 exec --functions code injection (Nessus ID 315103)
vuldb·2026-05-18·CVSS 9.8
CVE-2026-31236 [CRITICAL] llm CLI tool up to 0.27.1 exec --functions code injection (Nessus ID 315103)
A vulnerability marked as critical has been reported in llm CLI tool up to 0.27.1. Affected is the function exec. This manipulation of the argument --functions causes code injection.
This vulnerability is handled as CVE-2026-31236. The attack can be initiated remotely. There is not any exploit available.
GHSA
llm CLI tool contains a code injection vulnerability via `--functions` command-line argument
ghsa·2026-05-12
CVE-2026-31236 [CRITICAL] CWE-94 llm CLI tool contains a code injection vulnerability via `--functions` command-line argument
llm CLI tool contains a code injection vulnerability via `--functions` command-line argument
The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec() function without any sanitization, sandboxing, or security restrictions. An attacker can exploit this by crafting a malicious llm command with arbitrary Python code in the --functions argument and using social engineering to trick a victim into running it. This leads to arbitrary code execution on the victim's system, potentially granting the attacker full control.
GHSA
GHSA-g76p-4vg5-f4qh: The llm CLI tool thru 0
ghsa_unreviewed·2026-05-12
CVE-2026-31236 GHSA-g76p-4vg5-f4qh: The llm CLI tool thru 0
The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec() function without any sanitization, sandboxing, or security restrictions. An attacker can exploit this by crafting a malicious llm command with arbitrary Python code in the --functions argument and using social engineering to trick a victim into running it. This leads to arbitrary code execution on the victim's system, potentially granting the attacker full control.
Red Hat
llm: llm CLI tool: Arbitrary code execution via code injection in --functions argument
vendor_redhat·2026-05-12·CVSS 9.8
CVE-2026-31236 [CRITICAL] CWE-94 llm: llm CLI tool: Arbitrary code execution via code injection in --functions argument
llm: llm CLI tool: Arbitrary code execution via code injection in --functions argument
The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec() function without any sanitization, sandboxing, or security restrictions. An attacker can exploit this by crafting a malicious llm command with arbitrary Python code in the --functions argument and using social engineering to trick a victim into running it. This leads to arbitrary code execution on the victim's system, potentially granting the attacker full control.
A flaw was found in the llm CLI tool. An attacker can ex
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-31236 python-llm-echo: llm CLI tool: Arbitrary code execution via code injection in --functions argument [fedora-all]
bugzilla·2026-06-19·CVSS 9.8
CVE-2026-31236 [CRITICAL] CVE-2026-31236 python-llm-echo: llm CLI tool: Arbitrary code execution via code injection in --functions argument [fedora-all]
CVE-2026-31236 python-llm-echo: llm CLI tool: Arbitrary code execution via code injection in --functions argument [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-31236 python-llm: llm CLI tool: Arbitrary code execution via code injection in --functions argument [fedora-all]
bugzilla·2026-06-19·CVSS 9.8
CVE-2026-31236 [CRITICAL] CVE-2026-31236 python-llm: llm CLI tool: Arbitrary code execution via code injection in --functions argument [fedora-all]
CVE-2026-31236 python-llm: llm CLI tool: Arbitrary code execution via code injection in --functions argument [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-31236 llm: llm CLI tool: Arbitrary code execution via code injection in --functions argument
bugzilla·2026-05-12·CVSS 9.8
CVE-2026-31236 [CRITICAL] CVE-2026-31236 llm: llm CLI tool: Arbitrary code execution via code injection in --functions argument
CVE-2026-31236 llm: llm CLI tool: Arbitrary code execution via code injection in --functions argument
The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec() function without any sanitization, sandboxing, or security restrictions. An attacker can exploit this by crafting a malicious llm command with arbitrary Python code in the --functions argument and using social engineering to trick a victim into running it. This leads to arbitrary code execution on the victim's system, potentially granting the attacker full control.
2026-05-12
Published