CVE-2026-7629
Command Injection in Kleneway Awesome-Cursor-MPC-Server
Publication date: 2026-05-02
Last updated on: 2026-05-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kleneway | awesome_cursor_mpc_server | to 2.0.1 (inc) |
| kleneway | awesome_cursor_mpc_server | to 2.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7629 is a command injection vulnerability found in the awesome-cursor-mpc-server project, specifically in the code-review tool's runCodeReviewTool function within the file src/tools/codeReview.ts. The vulnerability arises because the code uses Node.js's execSync() function unsafely by directly concatenating a user-controlled folderPath parameter into shell commands without proper sanitization. This allows an attacker to inject arbitrary shell commands by including shell metacharacters in the folderPath input.
The vulnerability can be exploited remotely and enables attackers to execute arbitrary commands on the server hosting the MCP service. This can lead to unauthorized actions such as creating files or launching applications. The root cause is the unsafe handling of user input in shell command execution, and the recommended fix involves replacing execSync() with execFileSync() and passing arguments as an array to prevent shell interpretation.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary commands on the server running the awesome-cursor-mpc-server. As a result, attackers could gain unauthorized access to the system, modify or delete data, create new files, or run malicious applications.
Such unauthorized command execution can compromise the integrity, confidentiality, and availability of the affected system, potentially leading to data theft, system disruption, or further exploitation within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of unsafe command execution patterns in the code-review tool, specifically the use of Node.js's execSync() function with unsanitized user input such as the folderPath parameter.
You can look for suspicious command injection attempts by monitoring logs for unusual shell metacharacters (;, &, |) in parameters passed to the code-review tool.
To detect exploitation attempts on your system, you might run commands to search for usage of execSync with user input in the source code, for example:
- grep -r "execSync" ./src/tools/codeReview.ts
- grep -r folderPath ./src/tools/codeReview.ts
Additionally, monitoring for unexpected file creations or executions (e.g., creation of files or launching unexpected applications like calculator) triggered by the code-review tool could indicate exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of the vulnerable version (up to 2.0.1) of the awesome-cursor-mpc-server code-review tool until a fix is applied.
If you maintain the code, replace the unsafe execSync() calls that interpolate user input with safer alternatives like execFileSync(), passing user inputs as separate arguments to prevent shell interpretation.
Implement strict input validation and sanitization on the folderPath parameter to ensure no shell metacharacters can be injected.
Monitor for updates or patches from the project repository and apply them once available.
As a temporary workaround, restrict access to the vulnerable service to trusted users or networks to reduce the risk of remote exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of the CVE-2026-7629 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.