CVE-2026-25130
Published: 30 January 2026
Summary
CVE-2026-25130 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25130 is an argument injection vulnerability affecting the Cybersecurity AI (CAI) framework, a tool for AI security, in versions up to and including 0.5.10. The issue resides in multiple function tools where user-controlled input is passed directly to shell commands via subprocess.Popen() with shell=True, enabling command injection. Notably, the find_file() tool is classified as a "safe" pre-approved command, allowing it to execute without requiring user approval.
An attacker can exploit this vulnerability remotely over the network with no privileges required, though it demands user interaction and low attack complexity. By injecting malicious arguments, such as -exec, into the args parameter, they achieve remote code execution (RCE) on the host system, fully bypassing human-in-the-loop safety mechanisms. The CVSS v3.1 score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) reflects its critical severity, with high impacts on confidentiality, integrity, and availability, and a changed scope.
Mitigation is addressed in commit e22a1220f764e2d7cf9da6d6144926f53ca01cde. Further details, including the full advisory, are available at the GitHub security advisory GHSA-jfpc-wj3m-qw2m.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5008
Vulnerability details
Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()`…
more
with `shell=True`, allowing attackers to execute arbitrary commands on the host system. The `find_file()` tool executes without requiring user approval because find is considered a "safe" pre-approved command. This means an attacker can achieve Remote Code Execution (RCE) by injecting malicious arguments (like -exec) into the args parameter, completely bypassing any human-in-the-loop safety mechanisms. Commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contains a fix.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Argument/command injection via unsanitized input to subprocess.Popen(shell=True) in a remotely accessible framework directly enables RCE; maps to exploitation of a network-reachable application (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of user-controlled inputs before passing to shell commands via subprocess.Popen(), directly preventing argument injection for RCE.
Mandates timely identification, reporting, and patching of flaws like the argument injection vulnerability fixed in commit e22a1220f764e2d7cf9da6d6144926f53ca01cde.
Enforces least privilege to restrict the scope and impact of arbitrary command execution even if argument injection succeeds.