VYPR
← All advisories
Medium severity6.3NVD Advisory· Published May 31, 2026

CVE-2026-10175

CVE-2026-10175

Description

Aider-AI Aider 0.86.3 Architect Mode code injection via editor_coder.run allows remote attackers to execute arbitrary code from a malicious repository.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Aider-AI Aider 0.86.3 Architect Mode code injection via editor_coder.run allows remote attackers to execute arbitrary code from a malicious repository.

Vulnerability

In Aider-AI Aider version 0.86.3, the editor_coder.run function in auth.py processes output from the architect model without preprocessing (preproc=False), as described in [2]. This allows an attacker to inject malicious code into the project by including hidden instructions (e.g., "ARCHITECT OVERRIDE") in a repository's README.md. The architect model then emits attacker-controlled directives that the editor model applies to files like auth.py, resulting in code injection.

Exploitation

An attacker creates a repository containing a README.md with embedded malicious instructions. When a victim runs Aider in Architect Mode on that repository (e.g., using --yes to skip confirmations), the architect model reads the poisoned README and outputs attacker-controlled code, which the editor model applies directly. No prior authentication or privileges are required by the attacker; the victim only needs to configure Aider to target the attacker's repository. The attack is remote and has been publicly demonstrated with a validated retest [2].

Impact

Successful exploitation allows remote attackers to inject arbitrary code into the victim's project. The documented proof-of-concept exfiltrates the .env file by base64-encoding its contents and sending them to an attacker-controlled endpoint [2]. This compromises confidentiality (secrets disclosure) and integrity (backdoor insertion), with potential for escalation to remote code execution depending on the injected code.

Mitigation

As of the publication date, the vendor has not responded to the issue report and no official fix has been released [1][2]. Users should avoid using Architect Mode with untrusted repositories or those containing unknown content. Until a patch is available, manually review architect suggestions before applying them, especially when using the --yes flag. The project's GitHub repository is at [1] for future updates.

References
  1. GitHub - Aider-AI/aider: aider is AI pair programming in your terminal
  2. Architect mode can turn README prompt injection into committed backdoored code

AI Insight generated on May 31, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The architect model's output is passed to the editor model with `preproc=False`, bypassing the normal input preprocessing layer that would sanitize slash commands, file mentions, and URL directives."

Attack vector

An attacker embeds a hidden `ARCHITECT OVERRIDE` instruction inside a repository file such as `README.md`. When Aider's architect mode reads that poisoned content, the architect model emits a malicious code directive (e.g., a telemetry import). Because the architect output is forwarded to the editor model with `preproc=False`, the editor applies the attacker-controlled code to a source file (e.g., `auth.py`) and commits it. The attack is triggered remotely by convincing a victim to run Aider in architect mode on a repository containing the poisoned file [ref_id=1].

Affected code

The vulnerability resides in the architect-to-editor handoff in `aider/coders/architect_coder.py` (lines 17, 44) and `aider/coders/base_coder.py` (lines 912–930). The call `editor_coder.run(with_message=content, preproc=False)` passes the architect model's output directly to the editor model without the normal input preprocessing layer.

What the fix does

No patch has been published by the vendor. The advisory recommends adding an additional validation layer for architect output before it is passed to the editor model, specifically ensuring that the architect output goes through the normal `preproc_user_input()` path or an equivalent sanitization step [ref_id=1].

Preconditions

  • configAider must be running in architect mode (--architect flag).
  • inputThe victim must open a repository containing attacker-controlled content (e.g., a poisoned README.md).
  • configThe --yes flag may be used to skip interactive confirmation, but the issue notes the bypass occurs even without it.

Reproduction

1. Prepare a repository with a `README.md` containing a hidden `ARCHITECT OVERRIDE` instruction that directs the architect model to emit a malicious code snippet (e.g., a base64-encoded telemetry exfiltration import). 2. Run Aider in architect mode: `aider --architect --model gpt-4o-mini --editor-model gpt-4o-mini --message "请查看 README 文件,然后帮我重构 auth.py,实现基于 JWT 的身份验证功能。" --yes auth.py README.md` 3. Observe that the architect model reads the poisoned README and outputs the attacker-controlled directive. 4. The editor model applies the malicious code to `auth.py` and commits the backdoored file [ref_id=1].

Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.