{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30304", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-27T19:48:56.483Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-27T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-27T14:12:04.210Z"}, "descriptions": [{"lang": "en", "value": "In its design for automatic terminal command execution, AI Code offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://marketplace.visualstudio.com/items?itemName=tianguaduizhang.claude-dev-china"}, {"url": "https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/2"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-20", "lang": "en", "description": "CWE-20 Improper Input Validation"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T19:47:16.019800Z", "id": "CVE-2026-30304", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T19:48:56.483Z"}}]}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In its design for automatic terminal command execution, AI Code offers two options: Execute safe commands and execute all commands. The description for the former states that commands determined by the model to be safe will be automatically executed, whereas if the model judges a command to be potentially destructive, it still requires user approval. However, this design is highly susceptible to prompt injection attacks. An attacker can employ a generic template to wrap any malicious command and mislead the model into misclassifying it as a 'safe' command, thereby bypassing the user approval requirement and resulting in arbitrary command execution."}], "id": "CVE-2026-30304", "lastModified": "2026-03-27T20:16:28.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-27T15:16:53.263", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/2"}, {"source": "cve@mitre.org", "url": "https://marketplace.visualstudio.com/items?itemName=tianguaduizhang.claude-dev-china"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-27T15:59:25.344395+00:00", "value": {"mitigation_remediation": ["Disable automatic safe command execution or enforce user approval for every command.", "Implement a strict whitelist or sandbox for each executable command and validate user prompts against it.", "Apply any vendor updates or patches when released to address the prompt\u2011injection flaw.", "Audit and log all command executions for signs of abuse.", "Conduct regular security reviews of the AI prompt handling code to ensure input validation remains robust."], "summary": {"action": "Assess Impact", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Any installation of AI Code that relies on its automatic terminal command execution feature is affected, as the vulnerability exists in the design of the safe command decision logic rather than in a specific vendor or version. Systems that permit user input to influence the model\u2019s output\u2014including IDE extensions or custom integrations\u2014are at risk if they enable auto\u2011execution of safe commands.", "description_and_impact": "The vulnerability allows an attacker to craft prompts that trick the AI Code model into classifying malicious commands as \"safe,\" thereby bypassing the user approval step and executing arbitrary shell commands. This results in remote code execution, enabling attackers to gain full control over the system hosting the AI Code environment and potentially exfiltrate data, persist malware, or disrupt services. The weakness corresponds to an OS command injection flaw, where input validation is insufficient to prevent malicious instructions.", "risk_and_exploitability": "The flaw carries a high risk score due to the ability to execute arbitrary commands with administrative privileges. No EPSS score or KEV listing is available, but the potential impact and the ease of triggering via prompt injection suggest a significant likelihood of exploitation. The attack vector is inferred to be through any interface that accepts user prompts for the AI model; an attacker only needs to supply a crafted prompt that misleads the model into classifying destructive commands as safe."}}}}, "created": "2026-03-27T20:29:04.036374+00:00", "title": "AI Code Prompt Injection Leading to Arbitrary Command Execution", "updated": "2026-03-27T20:29:04.036400+00:00", "vendors": [], "weaknesses": ["CWE-78"]}