CVE-2026-4199
Awaiting Analysis Awaiting Analysis - Queue
Command Injection in bazinga012 mcp_code_executor installDependencies

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in bazinga012 mcp_code_executor up to 0.3.0. Affected by this issue is the function installDependencies of the file src/index.ts. Such manipulation leads to command injection. The attack can only be performed from a local environment. The exploit is publicly available and might be used. It is best practice to apply a patch to resolve this issue. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4199
EUVD
EUVD-2026-12269
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bazinga012 mcp_code_executor to 0.3.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-4199 is a command injection vulnerability found in the bazinga012 mcp_code_executor project, specifically in the installDependencies function of the src/index.ts file. The vulnerability arises because the software constructs shell commands by directly concatenating user-controlled input (package names) into command strings executed via a shell. This unsafe practice allows an attacker with local access to inject arbitrary shell commands by crafting malicious package names containing shell metacharacters.'}, {'type': 'paragraph', 'content': "The vulnerability is triggered when the install_dependencies tool uses Node.js's child_process.execAsync to run commands like conda install or pip install with user input. Since execAsync runs commands through a shell, injected commands can be executed with the same privileges as the MCP server process. The issue is due to improper sanitization and direct interpolation of untrusted input into shell commands."}, {'type': 'paragraph', 'content': "A proof of concept demonstrates that input such as 'numpy&whoami > poc.txt' in the packages parameter causes execution of the injected whoami command, writing its output to a file. The vulnerability can lead to arbitrary command execution, unauthorized data access, or modification of the host environment."}, {'type': 'paragraph', 'content': 'The vulnerability only allows local exploitation and affects versions up to 0.3.0. A patch replaces execAsync with execFileAsync, which executes commands without a shell by passing arguments as arrays, preventing shell interpretation and command injection.'}] [1, 2, 3, 4, 5]

Impact Analysis

Successful exploitation of this vulnerability allows an attacker with local access to execute arbitrary shell commands on the MCP server host with the same privileges as the MCP server process.

  • Execution of arbitrary commands leading to unauthorized data access.
  • Modification or disruption of the server environment.
  • Potential full system compromise depending on the privileges of the MCP server process.

Because the exploit is easy to perform and a proof of concept is publicly available, the risk is significant if the vulnerability is not patched. However, exploitation requires local access, limiting remote attack vectors.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves command injection through the installDependencies function in the mcp_code_executor tool, specifically via the packages parameter. Detection can focus on monitoring for suspicious command executions or unexpected file creations triggered by injected shell commands.

A proof of concept demonstrated injecting commands like `numpy&whoami > poc.txt` into the packages field, which causes execution of the `whoami` command and writes output to a file named poc.txt. Monitoring for such unexpected files or command executions can help detect exploitation attempts.

Suggested detection commands include searching for suspicious files created by injected commands, for example:

  • Check for unexpected files like poc.txt in the code storage directory: `find /path/to/code_storage -name poc.txt`
  • Monitor running processes for suspicious commands or shell executions related to package installation.
  • Audit logs or command histories for unusual package installation commands containing shell metacharacters such as `;`, `&`, or `|`.

Since the vulnerability requires local access and is triggered by local environment commands, network detection may be limited. Instead, focus on system-level monitoring and auditing of the mcp_code_executor usage and its install_dependencies tool.

Mitigation Strategies

The primary mitigation is to apply the available patch that replaces the unsafe use of child_process.execAsync with child_process.execFileAsync in the installDependencies function. This change avoids shell interpretation of user inputs by passing command arguments as arrays rather than concatenated shell strings.

Additional immediate steps include:

  • Avoid using execAsync or any shell command execution that interpolates user input directly.
  • Implement strict input validation and sanitization on all parameters, especially the packages parameter, to prevent injection of shell metacharacters.
  • Use parameter separation and proper escaping techniques to ensure user inputs cannot be interpreted as shell commands.
  • Restrict local access to the environment where mcp_code_executor runs to trusted users only, as exploitation requires local environment access.

Applying the patch from the official GitHub repository is strongly recommended to eliminate the vulnerability while preserving functionality.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4199. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart