CVE-2026-31246 — Shell command injection via GPT-Pilot Executor.run free-text substitution

MITRE service request: 1988723

Status: RESERVED (pending a qualifying public reference per CNA Rules §5.3).

Official CVE description

GPT-Pilot thru commit 0819827ce20346ef5f25b3fe29293cb448840565 (2025-09-03) contains a command injection vulnerability (CWE-78) in the Executor.run() method. During project execution, when the system prompts the user to confirm or modify a command to be run, it accepts free-text input without proper validation. The user-supplied input is directly passed to asyncio.create_subprocess_shell() for execution. This allows an attacker to replace the intended command with arbitrary shell commands, leading to remote code execution with the privileges of the GPT-Pilot process.

Summary

When operators decline the default command and paste “custom” text, GPT-Pilot forwards that string straight to asyncio.create_subprocess_shell, so a malicious insider or social-engineered maintainer can pivot to arbitrary OS commands in the automation account.

Affected product and versions

• Product: Pythagora-io/gpt-pilot.
• Known vulnerable commit (coordination record): 0819827ce20346ef5f25b3fe29293cb448840565.

Technical details

• Surface: Interactive confirmation UI (buttons_only=False path) allowing free-form command edits.
• Sink: Executor.run() → create_subprocess_shell without sanitization.
• Impact: RCE with privileges of the developer machine or CI worker running GPT-Pilot.
• Mitigation: Replace shell=True flows with argv lists + strict allow-lists; disable free-text override in CI.

Risk

High — insider threat + social engineering against power users.

Remediation / workaround

• Patch to forbid shell metacharacters; require explicit approvals for overrides.
• Vendor guidance TBD.