CVE-2026-4199
Command Injection in bazinga012 mcp_code_executor installDependencies
Publication date: 2026-03-16
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bazinga012 | mcp_code_executor | to 0.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-4199 is a command injection vulnerability found in the bazinga012 mcp_code_executor project, specifically in the installDependencies function of the src/index.ts file. The vulnerability arises because the software constructs shell commands by directly concatenating user-controlled input (package names) into command strings executed via a shell. This unsafe practice allows an attacker with local access to inject arbitrary shell commands by crafting malicious package names containing shell metacharacters.'}, {'type': 'paragraph', 'content': "The vulnerability is triggered when the install_dependencies tool uses Node.js's child_process.execAsync to run commands like conda install or pip install with user input. Since execAsync runs commands through a shell, injected commands can be executed with the same privileges as the MCP server process. The issue is due to improper sanitization and direct interpolation of untrusted input into shell commands."}, {'type': 'paragraph', 'content': "A proof of concept demonstrates that input such as 'numpy&whoami > poc.txt' in the packages parameter causes execution of the injected whoami command, writing its output to a file. The vulnerability can lead to arbitrary command execution, unauthorized data access, or modification of the host environment."}, {'type': 'paragraph', 'content': 'The vulnerability only allows local exploitation and affects versions up to 0.3.0. A patch replaces execAsync with execFileAsync, which executes commands without a shell by passing arguments as arrays, preventing shell interpretation and command injection.'}] [1, 2, 3, 4, 5]
How can this vulnerability impact me? :
Successful exploitation of this vulnerability allows an attacker with local access to execute arbitrary shell commands on the MCP server host with the same privileges as the MCP server process.
- Execution of arbitrary commands leading to unauthorized data access.
- Modification or disruption of the server environment.
- Potential full system compromise depending on the privileges of the MCP server process.
Because the exploit is easy to perform and a proof of concept is publicly available, the risk is significant if the vulnerability is not patched. However, exploitation requires local access, limiting remote attack vectors.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves command injection through the installDependencies function in the mcp_code_executor tool, specifically via the packages parameter. Detection can focus on monitoring for suspicious command executions or unexpected file creations triggered by injected shell commands.
A proof of concept demonstrated injecting commands like `numpy&whoami > poc.txt` into the packages field, which causes execution of the `whoami` command and writes output to a file named poc.txt. Monitoring for such unexpected files or command executions can help detect exploitation attempts.
Suggested detection commands include searching for suspicious files created by injected commands, for example:
- Check for unexpected files like poc.txt in the code storage directory: `find /path/to/code_storage -name poc.txt`
- Monitor running processes for suspicious commands or shell executions related to package installation.
- Audit logs or command histories for unusual package installation commands containing shell metacharacters such as `;`, `&`, or `|`.
Since the vulnerability requires local access and is triggered by local environment commands, network detection may be limited. Instead, focus on system-level monitoring and auditing of the mcp_code_executor usage and its install_dependencies tool.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to apply the available patch that replaces the unsafe use of child_process.execAsync with child_process.execFileAsync in the installDependencies function. This change avoids shell interpretation of user inputs by passing command arguments as arrays rather than concatenated shell strings.
Additional immediate steps include:
- Avoid using execAsync or any shell command execution that interpolates user input directly.
- Implement strict input validation and sanitization on all parameters, especially the packages parameter, to prevent injection of shell metacharacters.
- Use parameter separation and proper escaping techniques to ensure user inputs cannot be interpreted as shell commands.
- Restrict local access to the environment where mcp_code_executor runs to trusted users only, as exploitation requires local environment access.
Applying the patch from the official GitHub repository is strongly recommended to eliminate the vulnerability while preserving functionality.