How is CVE-2026-44887 exploited?

Network reachability (required): The vulnerable configuration endpoint is exposed over the network, so an attacker must be able to reach the Pi.Alert web service via HTTP/HTTPS to deliver the payload. Authentication (not-required): Web protection is disabled in the default configuration, meaning no credentials of any privilege level are needed to access the configuration editor. Victim interaction (not-required): The attacker sends a crafted HTTP request directly to the server; no user action, click, or social engineering is required. Attack complexity (info): Exploit complexity is low, the attack is reliable and condition-free with no race conditions, memory layout dependencies, or environmental factors to overcome.

What is the impact of CVE-2026-44887?

Attacker executes arbitrary code as the Pi.Alert background scan daemon process, gaining an interactive foothold on the host. Attacker reads any file accessible to the daemon, including stored network scan data, credentials, and configuration secrets on the host. Attacker modifies or deletes persisted configuration, scan history, and alert data managed by the daemon. Attacker crashes or permanently disrupts the Pi.Alert monitoring service, eliminating network intrusion detection coverage for the affected environment.

Back to search

CRITICALCVE-2026-44887Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-44887: Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Path)

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's web-based configuration editor allows arbitrary Python code to be injected into pialert.conf. Since the background scan daemon loads this file via Python's exec(), injected code executes as the daemon process. With web protection disabled (the default configuration), no authentication is required, making this an unauthenticated Remote Code Execution vulnerability. This vulnerability is fixed in 2026-05-07.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an unauthenticated remote code execution vulnerability in Pi.Alert, a WIFI/LAN intruder detector and web service monitor. The web-based configuration editor accepts arbitrary Python code that gets written into pialert.conf, which the background scan daemon then loads via Python's exec() call. Because web protection is disabled by default, a remote attacker with no credentials can reach the endpoint over the network and execute arbitrary code as the daemon process, achieving full system compromise. No fix version has been published upstream; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix ships.

HarborGuard Coverage

Detection

Detection of CVE-2026-44887 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from Pi.Alert base layers, across registries and active CI/CD pipelines.

Available

Triage

Triage is available with the full CVSS v3.1 score of 9.8 (Critical) applied to every matched image finding; per-environment compliance policy weighting can escalate or route the alert to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the meantime, the finding is surfaced as an open, unresolvable vulnerability so teams can apply compensating controls while waiting for a patch.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable configuration endpoint is exposed over the network, so an attacker must be able to reach the Pi.Alert web service via HTTP/HTTPS to deliver the payload.
AuthenticationNot required
Web protection is disabled in the default configuration, meaning no credentials of any privilege level are needed to access the configuration editor.
Victim interactionNot required
The attacker sends a crafted HTTP request directly to the server; no user action, click, or social engineering is required.
Attack complexityDetail
Exploit complexity is low, the attack is reliable and condition-free with no race conditions, memory layout dependencies, or environmental factors to overcome.

Blast Radius

Attacker executes arbitrary code as the Pi.Alert background scan daemon process, gaining an interactive foothold on the host.
Attacker reads any file accessible to the daemon, including stored network scan data, credentials, and configuration secrets on the host.
Attacker modifies or deletes persisted configuration, scan history, and alert data managed by the daemon.
Attacker crashes or permanently disrupts the Pi.Alert monitoring service, eliminating network intrusion detection coverage for the affected environment.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-44887 is flagged as a Critical, no-fix-available finding on every image match. Because no upstream patch exists, HarborGuard monitors the advisory on each ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression run and PR against affected workloads the moment a fix version is published upstream. While waiting for a patch, consider applying the following compensating controls in your environment: enable Pi.Alert's built-in web protection to require authentication on the configuration editor; apply a network policy that restricts inbound access to the Pi.Alert web port to trusted source IPs only; and use egress filtering on the host running the daemon to limit the blast radius if code execution occurs. These mitigations do not resolve the underlying vulnerability and the finding will remain open in HarborGuard until an upstream fix is ingested.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

leiweibau / Pi.Alert
< 2026-05-07

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/leiweibau/Pi.Alert/security/advisories/GHSA-r59g-5wf9-f7vv