CVE-2026-44888: Pi.Alert RCE Vulnerability

CVE-2026-44888 Overview

CVE-2026-44888 is a code injection vulnerability in Pi.Alert, an open-source WiFi/LAN intruder detector with web service monitoring. The flaw resides in the SaveConfigFile() endpoint, which writes user-supplied numeric configuration values such as SMTP_PORT directly into pialert.conf without validation. A background cron process reloads this file every 3–5 minutes using Python's exec(), turning any injected content into executable code. On default installations where PIALERT_WEB_PROTECTION = False, no credentials are required to reach the vulnerable endpoint. Successful exploitation yields unauthenticated operating system command execution as the Pi.Alert service user [CWE-94].

Critical Impact

Remote, unauthenticated attackers can achieve OS-level code execution on default Pi.Alert deployments by submitting a single crafted configuration update.

Affected Products

• Pi.Alert versions released prior to 2026-05-07
• Default installations with PIALERT_WEB_PROTECTION = False
• Deployments exposing the Pi.Alert web interface to untrusted networks

Discovery Timeline

• 2026-05-07 - Fixed release published by the Pi.Alert maintainers
• 2026-05-27 - CVE-2026-44888 published to NVD
• 2026-05-27 - Last updated in NVD database

Technical Details for CVE-2026-44888

Vulnerability Analysis

Pi.Alert stores runtime configuration in pialert.conf, a Python source file consumed by the application's background cron worker. The worker loads the file using Python's exec() builtin, which evaluates the file contents as Python code rather than parsing it as data. The web interface exposes a SaveConfigFile() endpoint that accepts configuration updates and writes them back to pialert.conf. Numeric fields such as SMTP_PORT are written verbatim, without type coercion, escaping, or validation. An attacker submits a payload disguised as a numeric value but containing arbitrary Python statements. Within minutes, the cron process re-reads the file and executes the injected code under the Pi.Alert service account.

Root Cause

The root cause is twofold. First, Pi.Alert uses exec() against an attacker-influenced configuration file, conflating code and data. Second, the SaveConfigFile() handler performs no input validation on numeric fields, violating the assumption made by the loader that values are well-formed Python literals. The combined effect maps to CWE-94: Improper Control of Generation of Code.

Attack Vector

An attacker reaches the SaveConfigFile() endpoint over the network. On default installations, web protection is disabled and the request requires no authentication. The attacker submits a configuration update where a numeric field carries a Python payload (for example, an os.system() call appended after a digit and a newline). The malicious file is written to disk, and the next cron tick imports it through exec(), executing the payload. The result is unauthenticated remote code execution against the host operating system. See the GitHub Security Advisory for further technical context.

Detection Methods for CVE-2026-44888

Indicators of Compromise

• Modifications to pialert.conf that contain non-numeric characters, semicolons, newlines, or Python keywords inside numeric fields such as SMTP_PORT.
• Unexpected child processes spawned by the Pi.Alert cron worker, including shells, curl, wget, or interpreters.
• Outbound network connections from the Pi.Alert host to unfamiliar destinations shortly after a configuration save event.
• New cron entries, SSH keys, or systemd units created by the Pi.Alert service user.

Detection Strategies

• Monitor file integrity on pialert.conf and alert on writes that introduce Python statements rather than literal values.
• Inspect HTTP access logs for POST requests to the SaveConfigFile() endpoint, especially from external IP addresses.
• Correlate configuration save events with subsequent process executions by the Pi.Alert background worker.
• Apply YARA or regex rules that flag injected patterns such as __import__, os.system, or subprocess inside the configuration file.

Monitoring Recommendations

• Forward Pi.Alert web server logs and host process telemetry to a centralized analytics pipeline for correlation.
• Baseline normal child-process trees of the Pi.Alert cron worker and alert on deviations.
• Track outbound DNS and HTTP traffic from the Pi.Alert host to identify command-and-control or staging activity.

How to Mitigate CVE-2026-44888

Immediate Actions Required

• Upgrade Pi.Alert to the 2026-05-07 release or later, which fixes the configuration write path.
• Set PIALERT_WEB_PROTECTION = True and configure authentication before re-exposing the web interface.
• Restrict network access to the Pi.Alert UI using firewall rules or a reverse proxy with access control.
• Audit pialert.conf for unexpected content and rebuild the host if injection is suspected.

Patch Information

The maintainers fixed the issue in the Pi.Alert release dated 2026-05-07. The fix validates numeric configuration values before persisting them and is documented in the Pi.Alert GHSA-xg85-f8qw-7c5f advisory. Operators running source checkouts should pull the latest commit and restart both the web and cron components.

Workarounds

• Place Pi.Alert behind an authenticating reverse proxy that blocks anonymous access to the SaveConfigFile() endpoint.
• Bind the Pi.Alert web service to localhost and tunnel access through SSH or VPN until patching is complete.
• Run the Pi.Alert process under a dedicated low-privilege user with no shell, limiting the impact of code execution.

# Example: restrict Pi.Alert to localhost and require auth via nginx
sudo ufw default deny incoming
sudo ufw allow from 127.0.0.1 to any port 20211 proto tcp
# Enable Pi.Alert web protection in pialert.conf
sudo sed -i 's/^PIALERT_WEB_PROTECTION.*/PIALERT_WEB_PROTECTION = True/' /opt/pialert/config/pialert.conf
sudo systemctl restart pialert