cbcvebase.
CVE-2026-31236
published 2026-05-12

CVE-2026-31236: The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.33%
24.4th percentile
The llm CLI tool thru 0.27.1 contains a critical code injection vulnerability via its --functions command-line argument. This argument is intended to allow users to provide custom Python function definitions. However, the tool directly executes the provided code using the unsafe exec() function without any sanitization, sandboxing, or security restrictions. An attacker can exploit this by crafting a malicious llm command with arbitrary Python code in the --functions argument and using social engineering to trick a victim into running it. This leads to arbitrary code execution on the victim's system, potentially granting the attacker full control.

Detection & IOCsextracted from sources · hover to see the quote

commandllm --functions <arbitrary_python_code>
  • Monitor for execution of the `llm` CLI tool with the `--functions` argument, especially when the argument contains Python code constructs (e.g., import statements, os/subprocess calls, eval/exec patterns).
  • Alert on process command lines where `llm` is invoked with `--functions` containing shell/OS interaction keywords such as `os`, `subprocess`, `socket`, `open`, or `__import__`.
  • Flag use of the `llm` CLI tool at versions 0.27.1 and below (packages: `python-llm`, `python-llm-echo`) as potentially vulnerable to this code injection.
  • ·The vulnerability requires social engineering; the attacker must trick a victim into manually running a crafted `llm` command. There is no known remote/unauthenticated exploitation path without user interaction.
  • ·Red Hat OpenShift AI (RHOAI) package `rhoai/odh-model-controller-rhel9` is explicitly marked Not Affected; scope detection efforts to environments where the `llm` CLI is directly installed and user-accessible.
  • ·Community package trackers (python-llm, python-llm-echo on Fedora) are best-effort; package maintainers must independently confirm whether their specific build is affected before patching.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.