How is CVE-2026-44888 exploited?

Network reachability (required): The SaveConfigFile() endpoint is exposed over the network, so an attacker must be able to reach the Pi.Alert web service via HTTP/HTTPS to deliver the malicious payload. Authentication (not-required): On default installations PIALERT_WEB_PROTECTION is False, meaning no credentials of any kind are required to call the SaveConfigFile() endpoint. Victim interaction (not-required): The attacker writes the payload directly to the config file via the endpoint; no user action or social engineering is needed for the injected code to execute. Attack complexity (info): The exploit is reliable and condition-free: writing to the config file is straightforward and execution occurs automatically within the 3-5 minute cron window, with no race condition or environmental dependency required.

What is the impact of CVE-2026-44888?

Executes arbitrary OS-level commands under the privileges of the Pi.Alert background cron process, giving the attacker a remote shell on the host. Reads all data accessible to that process, including network scan results, stored credentials, SMTP configuration values, and any secrets present on the filesystem. Modifies or deletes Pi.Alert configuration, scan data, and any other files writable by the process user, disrupting intruder-detection and monitoring functions. Enables lateral movement onto the local network by leveraging the host as a pivot point, since Pi.Alert has inherent network visibility into the monitored WIFI/LAN segment.

Back to search

CRITICALCVE-2026-44888Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-44888: Unauthenticated RCE via Python Config File Injection in SaveConfigFile() (Interger)

Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's SaveConfigFile() endpoint writes user-supplied numeric config values (e.g., SMTP_PORT) directly into pialert.conf without validation. Since pialert.conf is loaded via Python's exec() every 3–5 minutes by the background cron process, an attacker can inject arbitrary Python code and achieve unauthenticated OS-level RCE. On default installations (PIALERT_WEB_PROTECTION = False), no credentials are required. This vulnerability is fixed in 2026-05-07.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A Python config file injection vulnerability in Pi.Alert (the WIFI/LAN intruder detector and web service monitor) allows an unauthenticated remote attacker to write arbitrary Python code into pialert.conf via the SaveConfigFile() endpoint. Because the background cron process loads this file using Python's exec() every 3-5 minutes, the injected code executes automatically at the OS level with the privileges of that process. No authentication is required on default installations where PIALERT_WEB_PROTECTION is set to False, making this trivially exploitable over the network. The upstream project has not yet published a fix version; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-44888 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Pi.Alert. No manual scan trigger is needed for coverage to apply.

Available

Triage

Triage is available using the CVSS v3.1 base score of 9.8 (Critical), weighted against each customer environment's configured compliance policy to set ticket priority and severity thresholds. Routing to the appropriate team inbox within each customer organization is handled automatically based on those policy assignments.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Pi.Alert advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads as soon as that version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The SaveConfigFile() endpoint is exposed over the network, so an attacker must be able to reach the Pi.Alert web service via HTTP/HTTPS to deliver the malicious payload.
AuthenticationNot required
On default installations PIALERT_WEB_PROTECTION is False, meaning no credentials of any kind are required to call the SaveConfigFile() endpoint.
Victim interactionNot required
The attacker writes the payload directly to the config file via the endpoint; no user action or social engineering is needed for the injected code to execute.
Attack complexityDetail
The exploit is reliable and condition-free: writing to the config file is straightforward and execution occurs automatically within the 3-5 minute cron window, with no race condition or environmental dependency required.

Blast Radius

Executes arbitrary OS-level commands under the privileges of the Pi.Alert background cron process, giving the attacker a remote shell on the host.
Reads all data accessible to that process, including network scan results, stored credentials, SMTP configuration values, and any secrets present on the filesystem.
Modifies or deletes Pi.Alert configuration, scan data, and any other files writable by the process user, disrupting intruder-detection and monitoring functions.
Enables lateral movement onto the local network by leveraging the host as a pivot point, since Pi.Alert has inherent network visibility into the monitored WIFI/LAN segment.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-44888, HarborGuard monitors the Pi.Alert advisory on every ingest cycle and will surface a patched-image rebuild the moment leiweibau/Pi.Alert ships a remediated release. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads automatically. In the interim, compensating controls are strongly advised: apply a network policy that restricts inbound access to the Pi.Alert web port to trusted source IPs only, enable PIALERT_WEB_PROTECTION in the application configuration to require credentials, and consider egress filtering on the container to limit the blast radius if code injection occurs. HarborGuard will surface the advisory in the affected-image findings list so the relevant team inbox receives routing according to each environment's compliance policy.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

leiweibau / Pi.Alert
< 2026-05-07

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/leiweibau/Pi.Alert/security/advisories/GHSA-xg85-f8qw-7c5f