CVE-2026-30308
Published: 30 March 2026
Summary
CVE-2026-30308 is a critical-severity Code Injection (CWE-94) vulnerability in Presidio Hai Build. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other AI Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates prompt injection attacks by validating and sanitizing user inputs to the AI model used for command safety classification.
Restricts the vulnerable 'Execute safe commands' mode to least functionality, forcing user approval for all commands and preventing automatic execution of misclassified malicious ones.
Filters generated commands before execution to block malicious payloads even if the AI model misclassifies them as safe due to prompt injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated prompt injection in a public-facing code generator directly enables arbitrary terminal command execution (T1059) via exploitation of the exposed application (T1190).
NVD Description
In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe commands and Execute all commands. The description for the former states that commands determined by the model to be safe will be automatically…
more
executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.
Deeper analysisAI
CVE-2026-30308 is a critical vulnerability in the HAI Build Code Generator, a tool that supports automatic terminal command execution with two modes: "Execute safe commands" and "Execute all commands." In the safe mode, a model evaluates commands, automatically executing those deemed safe while requiring user approval for potentially destructive ones. The flaw stems from this design's susceptibility to prompt injection attacks (CWE-94), where attackers can craft inputs to trick the model into misclassifying malicious commands as safe, bypassing approval entirely.
The vulnerability enables remote attackers with no privileges or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8) to achieve arbitrary command execution on the target's system. By using a generic template to wrap malicious payloads, an attacker can mislead the model during command generation or processing, leading to unauthorized execution of destructive actions such as data exfiltration, system compromise, or further persistence.
Mitigation details and advisories are available in the referenced sources, including the GitHub issue at https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/10 and the project repository at https://github.com/presidio-oss/hai-build. Security practitioners should review these for patches, workarounds, or updated configurations to address the prompt injection risk.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: prompt injection