CVE-2026-54327

Name of the Vulnerable Software and Affected Versions @mariozechner/pi-coding-agent versions 0.28.0 through 0.73.1 @earendil-works/pi-coding-agent versions 0.74.0 through 0.78.0

Description A race condition in the file write path of the credential storage implementation allows the auth.json file, which stores API keys and OAuth access and refresh tokens, to be created or rewritten with permissions derived from the process umask before being restricted to owner-only permissions. A local user with read and traverse access to the Pi agent configuration directory could potentially read the file during the interval between the file write and the permission correction. This issue is not remotely exploitable and requires local access to the machine.

Recommendations Update @mariozechner/pi-coding-agent to @earendil-works/pi-coding-agent version 0.78.1 or later. Update @earendil-works/pi-coding-agent to version 0.78.1 or later. Rotate any credentials that may have been exposed on multi-user systems where the configuration directory was readable by other local users. Restrict the Pi agent configuration directory to the owning user, set auth.json to owner-only permissions, and run the application with a restrictive umask such as 077 as a temporary workaround.