CVE-2026-4496
Received Received - Intake
OS Command Injection in sigmade Git-MCP-Server Local exec Function

Publication date: 2026-03-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in sigmade Git-MCP-Server up to 785aa159f262a02d5791a5d8a8e13c507ac42880. Affected by this vulnerability is the function child_process.exec of the file src/gitUtils.ts of the component show_merge_diff/quick_merge_summary/show_file_diff. The manipulation results in os command injection. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. It is advisable to implement a patch to correct this issue. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4496
EUVD
EUVD-2026-13768
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sigmade git-mcp-server to 1.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with local access to execute arbitrary operating system commands on the Git-MCP-Server host. This can lead to unauthorized actions such as reading or modifying files, creating new files, or executing malicious code.'}, {'type': 'paragraph', 'content': "Because the server executes commands with user-controlled inputs without sanitization, an attacker can leverage this to compromise the server's integrity and confidentiality."}, {'type': 'paragraph', 'content': 'The exploit has been publicly disclosed, increasing the risk of exploitation if the vulnerability is not patched.'}] [1, 4]

Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-4496 is a command injection vulnerability found in the Git-MCP-Server project, specifically in the tools show_merge_diff, quick_merge_summary, and show_file_diff. The root cause is the unsafe use of Node.js's child_process.execSync function, which executes shell commands constructed by concatenating user-supplied inputs without proper validation or sanitization."}, {'type': 'paragraph', 'content': 'Because the inputs such as repoPath, fromBranch, toBranch, branch, and filename are directly concatenated into shell commands, an attacker with local access can inject shell metacharacters (e.g., &, ;, &&) to execute arbitrary commands on the server.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from the executeGit() function in src/gitUtils.ts, which is called by various tool functions and executes these unsafe commands. This allows an attacker to run arbitrary OS commands on the MCP server.'}] [1, 4]

Detection Guidance

This vulnerability can be detected by testing the affected Git-MCP-Server tools for command injection via their parameters. Specifically, the parameters repoPath, fromBranch, toBranch, branch, and filename in the tools show_merge_diff, quick_merge_summary, and show_file_diff are vulnerable.

A practical detection method is to attempt injecting shell metacharacters such as ;, &, or && into these parameters and observe if arbitrary commands execute on the server.

For example, you can start the MCP server and use the show_merge_diff tool with a payload like the following in fromBranch or toBranch:

  • D:\claude-projects\Git-MCP-Server HEAD&whoami > poc.txt&echo HEAD

If the server creates a file named poc.txt containing the output of the whoami command, this confirms the presence of the command injection vulnerability.

No specific network commands are provided, but detection involves interacting with the MCP server tools and injecting payloads to verify command execution.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': "Replace the use of Node.js's child_process.execSync with execFileSync, which executes commands without invoking a shell, preventing shell command injection."}, {'type': 'list_item', 'content': 'Modify the code to pass command arguments as separate parameters (arrays) rather than concatenated strings, ensuring proper argument parsing and avoiding injection.'}, {'type': 'list_item', 'content': 'Implement strict input validation and sanitization on all user-supplied parameters exposed to MCP clients, especially repoPath, fromBranch, toBranch, branch, and filename.'}, {'type': 'list_item', 'content': 'Use parameter separation and proper escaping techniques to prevent shell metacharacter injection.'}, {'type': 'paragraph', 'content': 'Since the product operates on a rolling release basis and no patched versions are currently available, applying these code changes or workarounds is critical to mitigate the risk.'}] [1, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4496. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart