CVE-2026-5833
Received Received - Intake
Command Injection in awwaiid MCP-Server-Taskwarrior Local Function

Publication date: 2026-04-09

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in awwaiid mcp-server-taskwarrior up to 1.0.1. This impacts the function server.setRequestHandler of the file index.ts. Such manipulation of the argument Identifier leads to command injection. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The name of the patch is 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2. Applying a patch is advised to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5833
EUVD
EUVD-2026-20841
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
awwaiid mcp-server-taskwarrior to 1.0.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5833 is a command injection vulnerability in the MCP Server component of the mcp-server-taskwarrior package up to version 1.0.1. The vulnerability arises because the server uses Node.js's execSync function to run shell commands by concatenating user-controlled inputs such as task identifiers, descriptions, projects, and tags directly into command strings. This allows an attacker with local access to inject malicious shell commands by manipulating these inputs, leading to arbitrary command execution on the host system.

The vulnerability specifically affects the function server.setRequestHandler in the file index.ts, impacting tools like mark_task_done, add_task, and get_next_tasks. The root cause is the use of execSync with interpolated strings, which executes commands through a shell and interprets special characters, enabling command injection.

A patch has been released that replaces execSync with execFileSync, which executes commands without invoking a shell and passes arguments as arrays rather than concatenated strings. This change prevents user inputs from being interpreted as executable code, effectively mitigating the vulnerability.

Impact Analysis

If exploited, this vulnerability allows an attacker with local access to execute arbitrary commands on the MCP server host. This can lead to unauthorized data access, modification of system files, launching of unauthorized processes, or privilege escalation depending on the permissions of the MCP server.

For example, an attacker could inject commands that create files, run system utilities, or alter the behavior of the server, potentially compromising the integrity and confidentiality of the system.

Detection Guidance

This vulnerability involves command injection through the manipulation of the 'identifier' and other parameters in the MCP Server tools of mcp-server-taskwarrior. Detection can focus on monitoring for unusual or suspicious command executions originating locally, especially those involving the TaskWarrior commands executed by the MCP server.

Since the exploit requires local access and involves injection of shell meta-characters into commands executed via Node.js's execSync, detection can include checking for unexpected files or processes created by injected commands (e.g., files like 'poc.txt' created by injected 'whoami' commands).

Suggested commands to detect exploitation attempts or verify the presence of the vulnerable code include:

  • Check for suspicious files created by injection payloads, e.g., `ls poc.txt` or `cat poc.txt` to see if an injected command was executed.
  • Monitor running processes for unexpected commands launched by injection, e.g., `ps aux | grep calc` to detect if calculator or other injected commands are running.
  • Review the source code or installed package files for usage of `execSync` with concatenated user inputs, especially in `index.ts` around lines 135-175.
  • Use Node.js debugging or logging to trace calls to `execSync` with user-controlled parameters.
Mitigation Strategies

The primary mitigation is to apply the patch identified by commit 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2, which replaces the vulnerable use of `execSync` with `execFileSync` and passes command arguments as arrays rather than concatenated strings, effectively preventing command injection.

Additional immediate steps include:

  • Update the mcp-server-taskwarrior package to the fixed version that includes the patch.
  • Avoid using or exposing the vulnerable MCP Server tools (mark_task_done, add_task, get_next_tasks) until patched.
  • Implement strict input validation and sanitization on all parameters exposed to MCP clients, especially `identifier`, `description`, `project`, and `tags`.
  • Restrict local access to the MCP server to trusted users only, since the attack requires local execution.
Compliance Impact

The provided context and resources do not explicitly discuss the impact of CVE-2026-5833 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5833. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart