CVE-2026-30303
OS Command Injection in Axon Code Auto-Approval Enables RCE
Publication date: 2026-03-27
Last updated on: 2026-04-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| matterai | axon_code | to 4.123.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Axon Code's command auto-approval module allows attackers to bypass whitelist security mechanisms and achieve arbitrary remote code execution. This security flaw could potentially lead to unauthorized access or manipulation of sensitive data or systems.
Given that the vulnerability enables remote code execution by circumventing security controls, it may increase the risk of data breaches or unauthorized data processing, which could negatively impact compliance with regulations such as GDPR or HIPAA that require strict controls over data security and privacy.
However, the provided information does not explicitly detail the direct impact of this vulnerability on compliance with specific standards or regulations.
Can you explain this vulnerability to me?
The vulnerability in Axon Code's command auto-approval module is an OS Command Injection flaw caused by using a Unix-based shell-quote library to parse commands on a Windows platform. This parser fails to correctly handle Windows CMD-specific escape sequences, especially the caret (^) character.
Attackers exploit this by crafting commands like `git log ^" & malicious_command ^"`. The parser mistakenly treats the ampersand (&) as part of a protected string due to the escape characters, leading it to auto-approve the command. However, the Windows CMD interpreter ignores the escaped quotes and executes the malicious command following the ampersand directly.
This discrepancy between the parsing logic and the execution environment bypasses the whitelist security mechanism, allowing arbitrary Remote Code Execution (RCE) despite appearing to pass legitimate Git command checks.
How can this vulnerability impact me? :
This vulnerability allows attackers to bypass the whitelist security mechanism in Axon Code and execute arbitrary commands remotely on the affected system.
As a result, an attacker can perform Remote Code Execution (RCE), potentially gaining unauthorized control over the system, executing malicious commands, and compromising system integrity and confidentiality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for suspicious command execution patterns that exploit the Windows CMD escape sequence handling flaw in the Axon Code auto-approval module.
Specifically, look for commands containing escape characters such as the caret (^) used in unusual ways, for example payloads like `git log ^" & malicious_command ^"` where the ampersand (&) is used to chain commands.
On Windows systems, you can use PowerShell or CMD to search logs or running processes for such suspicious command patterns.
- Use PowerShell to search event logs for suspicious command lines: `Get-WinEvent -FilterHashtable @{LogName='Windows PowerShell';ID=4104} | Where-Object { $_.Message -match '\^" &'} `
- Use Sysinternals Process Monitor to filter for command lines containing caret (^) escape sequences combined with ampersand (&) characters.
- Check Git-related logs or audit trails for commands with unusual escape sequences or concatenated commands.
Because the vulnerability exploits a parsing discrepancy, detection should focus on identifying commands that appear to be legitimate Git commands but include suspicious escape sequences and command chaining operators.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting the use of the vulnerable command auto-approval module in Axon Code until a patch is available.
Avoid relying solely on the whitelist security mechanism of the affected module, as it can be bypassed due to incorrect command parsing.
- Apply any available updates or patches from the vendor that address the command parsing and escape sequence handling issues.
- Implement additional command validation and sanitization layers that correctly handle Windows CMD escape sequences, especially the caret (^) character.
- Restrict permissions and execution rights for the Axon Code AI Agent to limit the impact of potential exploitation.
- Monitor systems for suspicious command execution patterns as described in detection steps.
Long-term mitigation involves updating the command parser to use a Windows-compatible parsing library and improving the handling of escape sequences to prevent bypass.