CVE-2026-7220
OS Command Injection in FastlyMCP fastly_cli Tool Enables Remote Attack
Publication date: 2026-04-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jackwrichards | fastlymcp | to 6f3d0b0e654fc51076badc7fa16c03c461f95620 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7220 is a critical command injection vulnerability found in the fastly_cli tool of the FastlyMCP project. The vulnerability exists because the tool accepts an attacker-controlled command string and appends it to a PowerShell command line, which is then executed without proper sanitization or validation. This allows an attacker to execute arbitrary operating system commands remotely with the privileges of the MCP server process.
Technically, the vulnerable code constructs a PowerShell command string by concatenating a fixed prefix with the user-supplied command and a Fastly API token, then executes it using Node.js's child_process.exec function. Because the input is interpreted by PowerShell, special characters and command chaining operators can be used by an attacker to run arbitrary commands.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote attackers to execute arbitrary OS commands with high privileges on the MCP server, which can lead to unauthorized access, modification, or destruction of sensitive data.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and integrity violations.
Specifically, the high confidentiality, integrity, and availability impact of this vulnerability means that organizations using the affected software could face violations of data protection requirements, leading to legal and regulatory consequences.
How can this vulnerability impact me? :
This vulnerability can have severe impacts on the affected system and its users. An attacker exploiting this flaw can execute arbitrary OS commands remotely, which can lead to the following consequences:
- Confidentiality compromise: The attacker can read sensitive files, environment variables, credentials, and other data accessible to the MCP server.
- Integrity compromise: The attacker can modify files, tamper with configurations, or install persistence mechanisms.
- Availability impact: The attacker can disrupt services by terminating processes, consuming resources, or executing destructive commands.
Overall, the vulnerability allows an attacker to gain high-level control over the host system beyond the application boundary, posing a critical security risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious or unexpected command executions initiated through the fastly_cli tool, especially those that include command chaining or unusual PowerShell commands.
A practical detection method is to look for evidence of arbitrary command execution, such as the creation of unexpected files or execution of commands like 'whoami' via the MCP JSON-RPC interface.
For example, you can check for the presence of the proof-of-concept file created by an exploit attempt:
- ls -l /tmp/fastlymcp-poc
Additionally, monitoring logs for JSON-RPC requests invoking the fastly_cli tool with suspicious 'command' parameters can help detect exploitation attempts.
Network or system commands to detect suspicious activity might include:
- grep 'tools/call' /var/log/fastlymcp.log | grep 'fastly_cli'
- Audit or monitor child_process.exec calls in the fastly-mcp-server process if possible.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing or disabling the free-form shell command execution functionality in the fastly_cli tool to prevent arbitrary command injection.
Replace the vulnerable command execution approach with a fixed allowlist of supported Fastly subcommands and implement strict argument validation to ensure no unsanitized input reaches the shell.
Avoid using Node.js's child_process.exec with interpolated shell strings; instead, use direct argument arrays and explicit executable invocation methods that do not invoke a shell.
Implement authentication, authorization, audit logging, and rate limiting around the MCP tools to restrict access and detect abuse.
If possible, apply patches or updates from the project once available, or consider disabling the fastly_cli tool until a secure fix is released.