Technical description
NVD published four CVEs on May 31 affecting Aider-AI Aider version 0.86.3, a popular open-source AI coding assistant with >20K GitHub stars used widely by developers and AI engineering teams. CVE-2026-10175 (CVSS 6.3): code injection via the editor_coder.run function in Architect Mode — remote attacker can inject and execute arbitrary code with low complexity and no prior authentication. CVE-2026-10174 (CVSS 6.3): pre-commit hook handler allows manipulation of the git-commit-verify argument, bypassing protection mechanisms. CVE-2026-10176 (CVSS 6.3): SQL injection in the code generation workflow component. CVE-2026-10177 (CVSS 6.3): SSRF via the requests.get function in api_docs.py, exploiting AWS EC2 metadata endpoint access. Public exploits exist for all four CVEs. The vendor has not yet responded or issued fixes as of May 31.
Attack vector
All four CVEs are network-exploitable with low attack complexity. CVE-2026-10175 and CVE-2026-10174 require low privileges; CVE-2026-10176 and CVE-2026-10177 appear exploitable without authentication depending on deployment context. Aider operates with broad file-system and shell access by design, meaning code injection in its Architect Mode carries significant blast radius on developer workstations and CI/CD environments.
Affected systems
Aider-AI Aider version 0.86.3. Developer workstations, CI/CD pipelines, and cloud-hosted development environments where Aider is installed and accessible remotely.
Mitigation
No official patch available as of May 31. Mitigations: (1) Restrict Aider to local-only access (no network-exposed instances); (2) Disable Architect Mode if not required; (3) Monitor vendor GitHub (https://github.com/Aider-AI/aider) for a patched release; (4) Treat Aider as untrusted input boundary — do not co-locate with production credentials or secrets.