MEDIUM 6.3

CVE-2026-10176: SQL Injection in Aider-AI Aider 0.86.3 Code Generation

Aider-AI's Aider version 0.86.3 contains a SQL injection vulnerability in its code generation workflow that can be exploited by authenticated users to manipulate database queries. While the vulnerability requires login credentials to trigger, an attacker with access can extract, modify, or delete sensitive data. Public exploit information is available, increasing the near-term risk of active exploitation.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-74, CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in Aider-AI Aider 0.86.3. Affected by this issue is some unknown functionality of the component Code Generation Workflow. Executing a manipulation can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10176 is a SQL injection flaw (CWE-89, CWE-74) residing in Aider 0.86.3's code generation workflow component. The vulnerability stems from insufficient input validation in an unknown function, allowing attackers to inject arbitrary SQL commands. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) reflects a network-exploitable attack requiring only low complexity and valid authentication, with limited scope and impact to confidentiality, integrity, and availability. Public proof-of-concept code has been disclosed.

Business impact

Organizations using Aider 0.86.3 face data breach risk if users with legitimate access become compromised or if insider threats are present. An attacker with authenticated access can query, modify, or corrupt database records underlying code generation workflows. This could lead to corrupted generated code, intellectual property theft, or downstream supply-chain risks if generated artifacts are deployed without review. Remediation delay amplifies exposure, particularly in environments where Aider integrates with sensitive development infrastructure.

Affected systems

Aider-AI Aider version 0.86.3 is confirmed vulnerable. The vendor has not yet published patch information or provided guidance on unaffected versions. Organizations should inventory all instances of Aider 0.86.3 in development, staging, and production environments. The flaw affects the code generation workflow component; any deployment using this functionality is at risk.

Exploitability

Exploitation requires valid authentication credentials, limiting attack surface to authorized users or threat actors who have obtained valid accounts. However, public exploit availability—combined with low attack complexity—substantially lowers the barrier to weaponization. Remote exploitability over the network means no local access is needed. The lack of vendor response increases confidence that patches will take time to develop and deploy, extending the window of vulnerability.

Remediation

Immediate action: Do not upgrade to 0.86.3 if not already deployed; isolate or restrict access to existing 0.86.3 instances pending vendor guidance. Monitor Aider-AI's repository and security advisories for a patched version. When available, test updates in non-production environments before rollout. If patch availability is delayed, consider disabling or sandboxing the code generation workflow on affected systems. Implement database access controls and IP-based network segmentation to limit authenticated user scope.

Patch guidance

Verify the Aider-AI repository and official security channels for available patches beyond 0.86.3. At the time of this advisory's publication, no patched version number has been publicly announced. Once a patch is released, apply it to all affected instances, prioritizing development and integration systems that process untrusted or third-party code. Test patches in staging before production deployment.

Detection guidance

Monitor application and database logs for suspicious SQL patterns originating from Aider 0.86.3 processes (unusual WHERE clauses, UNION SELECT statements, time-delay commands). Implement database activity monitoring (DAM) or query auditing for accounts used by Aider. Search for unusual data access or modification timestamps correlating with authentication events. Network-level detection can flag anomalous outbound database queries or exfiltration from systems running 0.86.3.

Why prioritize this

Although CVSS 6.3 is rated MEDIUM, several factors warrant higher prioritization: public exploit availability, authenticated-but-low-barrier access, impact to code integrity and data confidentiality, and the developer-centric nature of Aider (which suggests deployment in security-sensitive build pipelines). The vendor's lack of response raises uncertainty about patch timelines. Organizations should treat this as elevated-priority pending vendor communication.

Risk score, explained

The CVSS 3.1 score of 6.3 reflects moderate severity: network-accessible, low-complexity SQL injection requiring authentication, affecting confidentiality, integrity, and availability equally. The score does not capture the elevated practical risk posed by public exploit code or Aider's integration into development workflows. Risk should be assessed in context of your organization's use of Aider, the sensitivity of data it processes, and the privileges of authenticated users.

Frequently asked questions

Do I need valid Aider credentials to exploit this vulnerability?

Yes. The vulnerability requires PR:L (low privilege) authentication. An attacker must possess or obtain valid Aider credentials or compromise an existing user account. This limits the attack surface but does not eliminate it—compromised developer accounts or insider threats remain viable attack vectors.

What should I do if I'm currently running Aider 0.86.3?

Assess your risk posture: inventory the system's role (development, staging, production), the sensitivity of data it can access, and the privilege level of service accounts. Restrict access to the system if possible, implement database audit logging, and monitor closely. Contact Aider-AI through their repository for patch status. Prepare a migration or upgrade plan for when a patch becomes available.

Can this vulnerability be exploited without network access?

No. The CVSS vector indicates AV:N (network-accessible), meaning an attacker can trigger the flaw remotely. However, they still need valid authentication credentials to do so.

Is there a workaround if I can't immediately patch or upgrade?

Partial mitigations include: disabling or sandboxing the code generation workflow, restricting database access privileges for Aider's service account, implementing network segmentation to limit lateral movement, and enabling comprehensive audit logging. These do not eliminate the vulnerability but raise the cost of exploitation. They are not substitutes for patching.

This advisory is based on publicly available information as of the publication date. CVSS scores, patch status, and vendor guidance may change. Verify all technical details and patch availability against official Aider-AI channels before implementing remediation. This analysis does not constitute legal or compliance advice. Organizations are responsible for assessing their own risk and implementing appropriate controls based on their environment and threat model. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).