Compliance Impact

The provided information does not include any details about the impact of CVE-2026-31040 on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-31040 is a command injection vulnerability in the stata-mcp package prior to version 1.13.0. It occurs because the software executes user-supplied Stata do-files directly using Python's subprocess.Popen with shell=True, without properly validating or sanitizing the content of these do-files.

Stata do-files can contain shell-escape directives (such as lines starting with "!whoami", "!ls", or "shell curl") that allow execution of arbitrary operating system commands on macOS and Linux systems. An attacker can embed malicious OS commands inside a do-file, which when executed by the MCP Server, leads to remote code execution on the host machine.

The vulnerability affects the stata_do tool and the ssc_install package that internally calls stata_do. The exploit chain involves writing or installing a malicious do-file, which is then executed by the vulnerable subprocess call, allowing arbitrary OS commands to run.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to remote code execution (RCE) on the host machine running the stata-mcp package. An attacker who can supply or influence the content of a Stata do-file can execute arbitrary operating system commands with the privileges of the MCP Server process.

Such command execution can compromise the confidentiality, integrity, and availability of the affected system by allowing attackers to run malicious code, access sensitive data, modify or delete files, or disrupt services.

The vulnerability is particularly dangerous because it exploits a feature intended for legitimate shell commands within Stata scripts, making it a stealthy and powerful attack vector.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the execution of malicious Stata do-files containing shell-escape directives such as "!cmd" or "shell cmd" that allow arbitrary OS command execution. Detection can focus on identifying such suspicious do-files or monitoring for execution of Stata do-files with these directives.

Suggested detection methods include scanning do-files for lines starting with "!" or containing "shell" commands before execution.

• Use grep or similar tools to search for shell-escape directives in do-files, e.g.: grep -E '^!|shell ' *.do
• Monitor subprocess calls that invoke Stata do-files with shell=True in Python scripts or logs.
• Check for unexpected or unauthorized do-file executions on the system.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include preventing the execution of Stata do-files containing shell-escape directives and avoiding the use of subprocess.Popen with shell=True when running these scripts.

• Implement validation to scan and reject do-files containing shell-escape commands such as "!cmd" or "shell cmd" before execution.
• Upgrade to stata-mcp version 1.13.0 or later, which includes a security guard blocking shell-escape directives.
• Restrict execution of do-files to authorized directories and sanitize inputs to avoid malicious content.
• Avoid using subprocess.Popen with shell=True in the code that executes Stata do-files.

Useful 0 Not Useful 0