CVE-2026-5831
Received Received - Intake
Remote OS Command Injection in Agions taskflow-ai Terminal Execute

Publication date: 2026-04-09

Last updated on: 2026-04-09

Assigner: VulDB

Description
A security flaw has been discovered in Agions taskflow-ai up to 2.1.8. This impacts an unknown function of the file src/mcp/server/handlers.ts of the component terminal_execute. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. Upgrading to version 2.1.9 will fix this issue. The patch is named c1550b445b9f24f38c4414e9a545f5f79f23a0fe. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5831
EUVD
EUVD-2026-20830
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
agions taskflow-ai to 2.1.8 (inc)
agions taskflow-ai 2.1.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5831 is a command injection vulnerability in the Agions taskflow-ai project, affecting versions up to 2.1.8. The flaw exists in the MCP CallTool handler, specifically in the hidden tool named `terminal_execute`. This tool accepts a command string where only the first token is validated against an allowlist, while the rest of the command is passed unsanitized to Node.js's execSync function.

Because of this improper validation, an attacker can inject shell metacharacters and arbitrary OS commands remotely, leading to execution of unintended commands on the host system.

The vulnerability arises from the request handler forwarding arbitrary tool names without verifying if they are registered or exposed, and the executor not properly sanitizing the entire command string before execution.

Compliance Impact

The vulnerability allows remote OS command injection, which can lead to full host compromise including data exposure, unauthorized alteration of server state, and service disruption.

Such impacts on confidentiality, integrity, and availability of data and services can negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.

However, the provided information does not explicitly mention compliance implications or specific regulatory impacts.

Impact Analysis

This vulnerability can have severe impacts including:

  • Confidentiality: High risk of exposure of sensitive host or system data.
  • Integrity: High risk of unauthorized modification of server state or data.
  • Availability: High risk of service disruption due to malicious command execution.

Since the vulnerability allows remote attackers to execute arbitrary OS commands with the permissions of the running process, it can lead to full host compromise.

Detection Guidance

Detection of this vulnerability involves identifying attempts to invoke the hidden tool `terminal_execute` or other unregistered tools via the MCP CallTool handler, which is not listed in the advertised tools. Monitoring for unusual or unauthorized CallTool requests that include command strings with shell metacharacters (e.g., `;`, `&`, `|`) can indicate exploitation attempts.

Since the vulnerability allows OS command injection through unsanitized command strings passed to Node.js's execSync, commands that attempt to execute shell metacharacters or arbitrary commands remotely are suspicious.

  • Monitor network traffic or logs for requests targeting the MCP CallTool handler with tool names like `terminal_execute`.
  • Look for command strings containing shell metacharacters such as `;`, `&`, `|`, `$`, `(`, `)`, `{`, `}`, `[`, `]`, `<`, `>`, `!`, `*`, `?`.
  • Use logging or intrusion detection systems to flag execution of commands that include suspicious patterns like `echo executor_poc; id` or similar injected commands.

Specific commands to detect exploitation attempts are not provided in the resources, but general approaches include inspecting server logs for unexpected CallTool invocations and using network monitoring tools to detect suspicious payloads.

Mitigation Strategies

The primary immediate mitigation step is to upgrade the affected component to version 2.1.9 or later, which contains the security patch that fixes this vulnerability.

  • Upgrade taskflow-ai to version 2.1.9 using the command: `npm install taskflow-ai@latest`.

The patch includes validation of tool names against a predefined registry to prevent execution of hidden or unregistered tools, blocking of shell metacharacters in terminal commands, and disabling shell interpretation in execSync calls.

  • Ensure that the system rejects CallTool requests for tool names not registered or exposed.
  • Implement authentication, authorization, logging, and rate limiting on sensitive MCP handlers to reduce risk.

If immediate upgrade is not possible, consider restricting access to the MCP CallTool handler and monitoring for suspicious activity as a temporary workaround.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5831. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart