Cyber Resilience

CVE-2026-30312

CriticalRCE

Published: 31 March 2026

Published
31 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0166 73.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30312 is a critical-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30312 is a critical OS command injection vulnerability (CWE-78) in the command auto-approval module of DSAI-Cline, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The module uses string-based parsing to enforce a whitelist, blocking dangerous operators like ;, &&, ||, |, and command substitution patterns. However, it fails to detect raw newline characters embedded in inputs, allowing attackers to bypass validation entirely. When processed by the underlying PowerShell interpreter, the newline acts as a command separator, enabling sequential execution of both a whitelisted command and injected malicious code.

A remote attacker with network access to DSAI-Cline can exploit this vulnerability without authentication or user interaction by crafting a payload that inserts a literal newline between a whitelisted command and arbitrary malicious code, such as "git log\nmalicious_command". The auto-approval mechanism misidentifies the input as safe due to the whitelisted prefix, approving it automatically. PowerShell then executes the full payload, resulting in remote code execution with high confidentiality, integrity, and availability impacts.

Advisories and further details are available in the referenced GitHub repositories: https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/9 and https://github.com/necboy/cline-DSAI. These sources document the issue in the context of LLM tool-calling vulnerabilities.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

DSAI-Cline's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on string-based parsing to validate commands; while it intercepts dangerous operators such as ;, &&, ||, |, and…

more

command substitution patterns, it fails to account for raw newline characters embedded within the input. An attacker can construct a payload by embedding a literal newline between a whitelisted command and malicious code (e.g., git log malicious_command), forcing DSAI-Cline to misidentify it as a safe operation and automatically approve it. The underlying PowerShell interpreter treats the newline as a command separator, executing both commands sequentially, resulting in Remote Code Execution without any user interaction.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.001 PowerShell Execution
Adversaries may abuse PowerShell commands and scripts for execution.
Why these techniques?

The vulnerability enables exploitation of a public-facing application (T1190) via newline-based command injection, directly facilitating arbitrary PowerShell command execution (T1059.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-43984Shared CWE-78
CVE-2026-34176Shared CWE-78
CVE-2026-47294Shared CWE-78
CVE-2020-37125Shared CWE-78
CVE-2024-49601Shared CWE-78
CVE-2025-62354Shared CWE-78
CVE-2022-50596Shared CWE-78
CVE-2025-56819Shared CWE-78
CVE-2025-48703Shared CWE-78
CVE-2026-25111Shared CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation of command inputs to prevent OS command injection via undetected raw newline characters bypassing the whitelist.

prevent

Requires timely remediation of the specific flaw in string-based parsing that fails to block newline-separated malicious commands.

detect

Generates audit records for command auto-approval and PowerShell execution events to identify sequential execution of whitelisted and injected code.

References