CVE-2026-5833
Command Injection in awwaiid MCP-Server-Taskwarrior Local Function
Publication date: 2026-04-09
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| awwaiid | mcp-server-taskwarrior | to 1.0.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-5833 is a command injection vulnerability in the MCP Server component of the mcp-server-taskwarrior package up to version 1.0.1. The vulnerability arises because the server uses Node.js's execSync function to run shell commands by concatenating user-controlled inputs such as task identifiers, descriptions, projects, and tags directly into command strings. This allows an attacker with local access to inject malicious shell commands by manipulating these inputs, leading to arbitrary command execution on the host system.
The vulnerability specifically affects the function server.setRequestHandler in the file index.ts, impacting tools like mark_task_done, add_task, and get_next_tasks. The root cause is the use of execSync with interpolated strings, which executes commands through a shell and interprets special characters, enabling command injection.
A patch has been released that replaces execSync with execFileSync, which executes commands without invoking a shell and passes arguments as arrays rather than concatenated strings. This change prevents user inputs from being interpreted as executable code, effectively mitigating the vulnerability.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with local access to execute arbitrary commands on the MCP server host. This can lead to unauthorized data access, modification of system files, launching of unauthorized processes, or privilege escalation depending on the permissions of the MCP server.
For example, an attacker could inject commands that create files, run system utilities, or alter the behavior of the server, potentially compromising the integrity and confidentiality of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves command injection through the manipulation of the 'identifier' and other parameters in the MCP Server tools of mcp-server-taskwarrior. Detection can focus on monitoring for unusual or suspicious command executions originating locally, especially those involving the TaskWarrior commands executed by the MCP server.
Since the exploit requires local access and involves injection of shell meta-characters into commands executed via Node.js's execSync, detection can include checking for unexpected files or processes created by injected commands (e.g., files like 'poc.txt' created by injected 'whoami' commands).
Suggested commands to detect exploitation attempts or verify the presence of the vulnerable code include:
- Check for suspicious files created by injection payloads, e.g., `ls poc.txt` or `cat poc.txt` to see if an injected command was executed.
- Monitor running processes for unexpected commands launched by injection, e.g., `ps aux | grep calc` to detect if calculator or other injected commands are running.
- Review the source code or installed package files for usage of `execSync` with concatenated user inputs, especially in `index.ts` around lines 135-175.
- Use Node.js debugging or logging to trace calls to `execSync` with user-controlled parameters.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to apply the patch identified by commit 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2, which replaces the vulnerable use of `execSync` with `execFileSync` and passes command arguments as arrays rather than concatenated strings, effectively preventing command injection.
Additional immediate steps include:
- Update the mcp-server-taskwarrior package to the fixed version that includes the patch.
- Avoid using or exposing the vulnerable MCP Server tools (mark_task_done, add_task, get_next_tasks) until patched.
- Implement strict input validation and sanitization on all parameters exposed to MCP clients, especially `identifier`, `description`, `project`, and `tags`.
- Restrict local access to the MCP server to trusted users only, since the attack requires local execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not explicitly discuss the impact of CVE-2026-5833 on compliance with common standards and regulations such as GDPR or HIPAA.