External risk intelligence

llm CLI tool could allow internal attacker to take full control of user systems

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-31236

An internal attacker could use the llm tool to take full control of a user’s computer. This could result in the theft of sensitive local files and stored credentials, creating a serious security risk for business information.

1Halo Surface Signal

Code Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-31236

The vulnerability affects a CLI utility run locally by a user on their own system. It is not an internet-facing service, API, or network-reachable component. The attack requires local execution by the user, which does not constitute public network exposure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in the llm CLI tool that could allow attackers to run arbitrary code on a user's system. This issue arises because the tool insecurely executes commands provided through its arguments, bypassing security checks. If exploited, this could lead to a complete compromise of the affected machine.

  • Allows remote code execution.
  • Could impact any user running the tool.
  • Exploitation requires tricking a user.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by tricking a user into running a specially crafted `llm` command. The malicious command would include arbitrary Python code within the `--functions` argument, which the `llm` tool then executes directly. This allows the attacker to achieve code execution on the victim's machine with the user's privileges.

  • Requires user to run command.
  • Targets `llm` CLI tool.
  • Social engineering needed.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for critical code injection by tricking a user into running a malicious command. Attackers might find this appealing due to the direct execution of arbitrary Python code, leading to full system control if exploited successfully. However, the requirement for social engineering to get a user to execute the command locally limits its immediate widespread impact.

  • Requires user interaction for execution.
  • Exploitation is not observed.
  • Public exploit code is unavailable.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking any commands using the `--functions` argument with the `llm` CLI tool and investigate all systems where it is installed. This vulnerability allows arbitrary code execution, posing a critical risk if exploited through user interaction. Given the direct execution of `exec()` on untrusted input, immediate containment is paramount.

  • Block `llm --functions` usage.
  • Isolate or remove `llm` CLI tool.
  • Monitor for unauthorized code execution.

Frequently asked questions

What is the llm CLI tool and its critical vulnerability?

The llm CLI tool is a command-line interface that allows users to define and execute custom Python functions. It contains a critical code injection vulnerability (CVE-2026-31236) where it directly executes Python code provided via the --functions argument without proper sanitization or security restrictions. This flaw, classified as CWE-94, allows arbitrary code execution on the user's system.

How can CVE-2026-31236 be exploited?

An attacker can exploit this vulnerability by tricking a user into running a specially crafted llm command. This command would include malicious Python code within the --functions argument, which the llm tool then executes unsafely using `exec()`. This social engineering tactic leads to arbitrary code execution with the privileges of the user running the command.

What is the impact of the llm CLI tool vulnerability?

Successful exploitation of CVE-2026-31236 can grant an attacker full code execution on the victim's system. This could lead to credential theft, data exfiltration, and complete system compromise. The critical severity (CVSS 9.8) underscores the significant risk posed by this flaw.

What are the recommended steps to mitigate CVE-2026-31236?

To mitigate this vulnerability, it is recommended to block commands using the --functions argument for the llm CLI tool. Additionally, inventory all systems with the llm CLI installed, verify versions are updated, and educate users about the risks of executing unvetted commands. Prohibiting the use of the --functions argument until a fixed release is verified is also advised.

What is CWE-94 and how does it relate to CVE-2026-31236?

CWE-94 refers to 'Improper Control of Generation of Code,' a weakness class where software constructs code segments using externally influenced input without proper neutralization. CVE-2026-31236 fits this description because the llm CLI tool executes Python code from the --functions argument directly with `exec()`, without validating or sanitizing the input, thus allowing attackers to inject and run arbitrary code.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified