CVE-2026-4198
Awaiting Analysis Awaiting Analysis - Queue
Command Injection in hypermodel-labs MCP-Server-Auto-Commit Local Function

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in hypermodel-labs mcp-server-auto-commit 1.0.0. Affected by this vulnerability is the function getGitChanges of the file index.ts. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. Patch name: f7d992c830c5f2ec5749852e66c0195e3ed7fe30. Applying a patch is the recommended action to fix this issue. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4198
EUVD
EUVD-2026-12267
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
hypermodel-labs mcp-server-auto-commit to 0.0.1 (inc)
hypermodel-labs mcp-server-auto-commit 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-4198 is a command injection vulnerability found in the hypermodel-labs mcp-server-auto-commit version 1.0.0, specifically in the function getGitChanges within the file index.ts.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the software uses Node.js's child_process.exec function to run shell commands that include user-controlled input without proper sanitization or escaping. This allows an attacker with local access to inject arbitrary shell commands by including shell metacharacters in the input."}, {'type': 'paragraph', 'content': "The injected commands execute with the same privileges as the MCP server process, potentially compromising the system's confidentiality, integrity, and availability."}, {'type': 'paragraph', 'content': 'A patch has been released that replaces the unsafe exec usage with execFile, which executes commands without invoking a shell and thus prevents command injection.'}] [1, 2, 3, 5, 6]

Impact Analysis

Successful exploitation of this vulnerability allows an attacker with local access to execute arbitrary shell commands on the server hosting the MCP service.

This can lead to unauthorized access to sensitive data, modification of the server environment, and potentially full compromise of the affected system depending on the privileges of the MCP server process.

Because the injected commands run with the same privileges as the MCP server, attackers can perform a wide range of malicious actions, including data theft, service disruption, or further lateral movement within the network.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is a local command injection flaw in the hypermodel-labs mcp-server-auto-commit tool, specifically in the getGitChanges function of index.ts. Detection involves checking for unsafe usage of Node.js child_process.exec with user-controlled input, particularly the autoCommitPath parameter.

A practical detection method is to attempt to inject shell metacharacters into the autoCommitPath parameter and observe if arbitrary commands execute. For example, injecting a command like `& whoami > poc.txt` to see if a file named poc.txt is created containing the output of whoami.

Suggested commands to test for the vulnerability locally include running the git-changes-commit-message tool with a crafted autoCommitPath value containing shell metacharacters, such as:

  • Set autoCommitPath to a value like `D:\claude-projects\mcp-server-auto-commit & whoami > poc.txt`
  • Run the git-changes-commit-message tool and check if the file poc.txt is created, indicating command injection.

This approach is based on the proof of concept described in the security advisory, which demonstrates command injection by redirecting output of injected commands to files.

Mitigation Strategies

The primary mitigation step is to apply the available patch identified by commit f7d992c830c5f2ec5749852e66c0195e3ed7fe30, which replaces the unsafe use of child_process.exec with child_process.execFile. This change prevents shell interpretation of user input and eliminates the command injection risk.

Additional immediate steps include:

  • Avoid using child_process.exec for executing shell commands with user-controlled input.
  • Implement strict input validation and sanitization on all parameters exposed to MCP clients, especially autoCommitPath.
  • Use parameter separation and proper escaping techniques to prevent shell command injection.

Since the vulnerability requires local access, restrict access to the MCP server environment to trusted users only until the patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4198. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart