Executive Summary

CVE-2026-30635 is an OS command injection vulnerability in the automagik-genie MCP server package, specifically version 2.5.27. It occurs in the readTranscriptFromCommit() function in dist/mcp/server.js, where user-controlled data from the Forge backend API is unsafely passed to the execSync() function via string interpolation.

Attackers can exploit this vulnerability by poisoning the Forge API responses, for example through a malicious Forge instance, a compromised backend, or man-in-the-middle attacks. The main injection point is the commitSha parameter, which is interpolated outside of quotes in the shell command, allowing unrestricted shell metacharacters to be executed.

There is also a secondary injection vector via the gitDir parameter, but it is limited by a filesystem existence check.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-30635 allows remote attackers to execute arbitrary commands on the automagik-genie MCP server, potentially leading to data exfiltration, lateral movement, or persistence within the affected system.

Such unauthorized access and potential data breaches could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary commands on the MCP server with the privileges of the server process user.

• Remote code execution (RCE) enabling full control over the affected server.
• Potential data exfiltration from the server.
• Lateral movement within the network to compromise other systems.
• Establishing persistence on the compromised server.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for suspicious or unexpected command executions originating from the automagik-genie MCP server, especially those involving the readTranscriptFromCommit function or the commitSha parameter.

Since the vulnerability involves command injection via the commitSha parameter passed to execSync(), detection can focus on identifying unusual shell commands or processes spawned by the MCP server.

• Use system process monitoring tools (e.g., ps, top) to look for unexpected commands or processes spawned by the MCP server user.
• Check logs for unusual API calls or requests to the Forge backend API that include suspicious commitSha values containing shell metacharacters.
• Run commands like `ps aux | grep automagik-genie` to identify running processes and investigate any suspicious command line arguments.
• Use network monitoring tools to detect unusual outbound connections or data exfiltration attempts originating from the MCP server.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include treating all Forge API responses as untrusted input and avoiding the use of execSync() with unsanitized user input.

• Replace the use of execSync() with execFileSync() using argument arrays to prevent shell command injection.
• Validate the commitSha parameter strictly as a valid git commit hash before using it in any command.
• Sanitize containerRef paths and any other user-controlled inputs to ensure they do not contain shell metacharacters.
• Monitor and restrict access to the Forge backend API to prevent attackers from poisoning API responses.

Useful 0 Not Useful 0