Cyber Resilience

CVE-2026-30304

Critical

Published: 27 March 2026

Published
27 March 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0043 34.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30304 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Tianguaduizhang Ai Code. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-30304 is a high-severity vulnerability (CVSS 9.6, CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) affecting the AI Code tool's automatic terminal command execution feature. AI Code provides two execution modes: "Execute safe commands," where the AI model determines if a command is safe for automatic execution or requires user approval if deemed potentially destructive, and "Execute all commands." The vulnerability stems from improper input validation (CWE-20), making the safety classification mechanism highly susceptible to prompt injection attacks. Attackers can craft inputs that mislead the model into misclassifying malicious commands as safe.

A remote attacker with no privileges can exploit this vulnerability by using a generic template to wrap arbitrary malicious commands in AI Code prompts. This bypasses the user approval requirement for potentially destructive commands, as the model incorrectly deems them safe, leading to automatic execution. Exploitation requires user interaction, such as a user processing a malicious prompt in the tool, but results in full arbitrary command execution on the victim's system, with high impacts on confidentiality, integrity, and availability due to the changed scope.

For mitigation details, refer to the advisories linked in the CVE references, including the GitHub issue at https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/2 and the Visual Studio Marketplace page for the related extension at https://marketplace.visualstudio.com/items?itemName=tianguaduizhang.claude-dev-china. This vulnerability highlights risks in LLM-based tool calling for command execution, particularly prompt injection in AI-driven development tools.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In its design for automatic terminal command execution, AI Code offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas…

more

if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, prompt injection

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1204 User Execution Execution
An adversary may rely upon specific actions by a user in order to gain execution.
Why these techniques?

Vulnerability enables bypass of safety checks via prompt injection for automatic arbitrary terminal command execution (T1059) and requires user interaction to process malicious prompt (T1204).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27306Shared CWE-20
CVE-2025-62222Shared CWE-20
CVE-2025-55270Shared CWE-20
CVE-2026-34910Shared CWE-20
CVE-2026-22615Shared CWE-20
CVE-2026-0933Shared CWE-20
CVE-2024-56134Shared CWE-20
CVE-2026-40068Shared CWE-20
CVE-2025-1097Shared CWE-20
CVE-2025-29814Shared CWE-20

Affected Assets

tianguaduizhang
ai code
≤ 3.12.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the improper input validation (CWE-20) by requiring validation of prompts to the AI model prior to processing, preventing prompt injection attacks that misclassify malicious commands as safe.

prevent

Addresses the vulnerability by restricting the AI Code tool to least functionality, such as disabling automatic safe command execution or limiting to whitelisted commands only.

prevent

Limits the scope and impact of arbitrary command execution resulting from bypassed safety classification by enforcing least privilege on executed processes.

References