CVE-2026-25130
Published: 30 January 2026
Summary
CVE-2026-25130 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-controlled inputs before passing to shell commands via subprocess.Popen(), directly preventing argument injection for RCE.
Mandates timely identification, reporting, and patching of flaws like the argument injection vulnerability fixed in commit e22a1220f764e2d7cf9da6d6144926f53ca01cde.
Enforces least privilege to restrict the scope and impact of arbitrary command execution even if argument injection succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Argument/command injection via unsanitized input to subprocess.Popen(shell=True) in a remotely accessible framework directly enables RCE; maps to exploitation of a network-reachable application (T1190) and arbitrary Unix shell command execution (T1059.004).
NVD Description
Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()`…
more
with `shell=True`, allowing attackers to execute arbitrary commands on the host system. The `find_file()` tool executes without requiring user approval because find is considered a "safe" pre-approved command. This means an attacker can achieve Remote Code Execution (RCE) by injecting malicious arguments (like -exec) into the args parameter, completely bypassing any human-in-the-loop safety mechanisms. Commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contains a fix.
Deeper analysisAI
CVE-2026-25130 is an argument injection vulnerability affecting the Cybersecurity AI (CAI) framework, a tool for AI security, in versions up to and including 0.5.10. The issue resides in multiple function tools where user-controlled input is passed directly to shell commands via subprocess.Popen() with shell=True, enabling command injection. Notably, the find_file() tool is classified as a "safe" pre-approved command, allowing it to execute without requiring user approval.
An attacker can exploit this vulnerability remotely over the network with no privileges required, though it demands user interaction and low attack complexity. By injecting malicious arguments, such as -exec, into the args parameter, they achieve remote code execution (RCE) on the host system, fully bypassing human-in-the-loop safety mechanisms. The CVSS v3.1 score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) reflects its critical severity, with high impacts on confidentiality, integrity, and availability, and a changed scope.
Mitigation is addressed in commit e22a1220f764e2d7cf9da6d6144926f53ca01cde. Further details, including the full advisory, are available at the GitHub security advisory GHSA-jfpc-wj3m-qw2m.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, ai, ai