CVE-2026-30304
Published: 27 March 2026
Summary
CVE-2026-30304 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Tianguaduizhang Ai Code. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-30304 is a high-severity vulnerability (CVSS 9.6, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) affecting the AI Code tool's automatic terminal command execution feature. AI Code provides two execution modes: "Execute safe commands," where the AI model determines if a command is safe for automatic execution or requires user approval if deemed potentially destructive, and "Execute all commands." The vulnerability stems from improper input validation (CWE-20), making the safety classification mechanism highly susceptible to prompt injection attacks. Attackers can craft inputs that mislead the model into misclassifying malicious commands as safe.
A remote attacker with no privileges can exploit this vulnerability by using a generic template to wrap arbitrary malicious commands in AI Code prompts. This bypasses the user approval requirement for potentially destructive commands, as the model incorrectly deems them safe, leading to automatic execution. Exploitation requires user interaction, such as a user processing a malicious prompt in the tool, but results in full arbitrary command execution on the victim's system, with high impacts on confidentiality, integrity, and availability due to the changed scope.
For mitigation details, refer to the advisories linked in the CVE references, including the GitHub issue at https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/2 and the Visual Studio Marketplace page for the related extension at https://marketplace.visualstudio.com/items?itemName=tianguaduizhang.claude-dev-china. This vulnerability highlights risks in LLM-based tool calling for command execution, particularly prompt injection in AI-driven development tools.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16602
Vulnerability details
In its design for automatic terminal command execution, AI Code offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas…
more
if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, prompt injection
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables bypass of safety checks via prompt injection for automatic arbitrary terminal command execution (T1059) and requires user interaction to process malicious prompt (T1204).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the improper input validation (CWE-20) by requiring validation of prompts to the AI model prior to processing, preventing prompt injection attacks that misclassify malicious commands as safe.
Addresses the vulnerability by restricting the AI Code tool to least functionality, such as disabling automatic safe command execution or limiting to whitelisted commands only.
Limits the scope and impact of arbitrary command execution resulting from bypassed safety classification by enforcing least privilege on executed processes.