Cyber Resilience

CVE-2026-30308

CriticalRCE

Published: 30 March 2026

Published
30 March 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0051 39.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30308 is a critical-severity Code Injection (CWE-94) vulnerability in Presidio Hai Build. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-30308 is a critical vulnerability in the HAI Build Code Generator, a tool that supports automatic terminal command execution with two modes: "Execute safe commands" and "Execute all commands." In the safe mode, a model evaluates commands, automatically executing those deemed safe while requiring user approval for potentially destructive ones. The flaw stems from this design's susceptibility to prompt injection attacks (CWE-94), where attackers can craft inputs to trick the model into misclassifying malicious commands as safe, bypassing approval entirely.

The vulnerability enables remote attackers with no privileges or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8) to achieve arbitrary command execution on the target's system. By using a generic template to wrap malicious payloads, an attacker can mislead the model during command generation or processing, leading to unauthorized execution of destructive actions such as data exfiltration, system compromise, or further persistence.

Mitigation details and advisories are available in the referenced sources, including the GitHub issue at https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/10 and the project repository at https://github.com/presidio-oss/hai-build. Security practitioners should review these for patches, workarounds, or updated configurations to address the prompt injection risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In its design for automatic terminal command execution, HAI Build Code Generator offers two options: Execute safe commands and Execute all commands. The description for the former states that commands determined by the model to be safe will be automatically…

more

executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: prompt injection

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Remote unauthenticated prompt injection in a public-facing code generator directly enables arbitrary terminal command execution (T1059) via exploitation of the exposed application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6543Shared CWE-94
CVE-2026-41137Shared CWE-94
CVE-2026-26045Shared CWE-94
CVE-2024-11600Shared CWE-94
CVE-2025-67979Shared CWE-94
CVE-2026-2287Shared CWE-94
CVE-2025-6000Shared CWE-94
CVE-2024-54756Shared CWE-94
CVE-2026-42898Shared CWE-94
CVE-2025-71281Shared CWE-94

Affected Assets

presidio
hai build
≤ 3.13.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates prompt injection attacks by validating and sanitizing user inputs to the AI model used for command safety classification.

prevent

Restricts the vulnerable 'Execute safe commands' mode to least functionality, forcing user approval for all commands and preventing automatic execution of misclassified malicious ones.

prevent

Filters generated commands before execution to block malicious payloads even if the AI model misclassifies them as safe due to prompt injection.

References