CVE-2026-7653
Deferred Deferred - Pending Action
Command Injection in MCP Server Rijksmuseum

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: VulDB

Description
A security flaw has been discovered in r-huijts mcp-server-rijksmuseum up to 1.0.4. Affected is the function open_image_in_browser of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument imageUrl results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7653
EUVD
EUVD-2026-26800
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
r-huijts mcp-server-rijksmuseum to 1.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7653 is a command injection vulnerability in the mcp-server-rijksmuseum tool, specifically in the function open_image_in_browser. The vulnerability occurs because the tool accepts a user-supplied imageUrl parameter, performs only a basic type check, and then passes it unsanitized into a shell command executed via child_process.exec.

An attacker with network access to the MCP interface can inject shell metacharacters through the imageUrl parameter to execute arbitrary operating system commands with the privileges of the server process. This means the attacker can run any command on the server remotely.

The vulnerability exists due to insufficient validation of the imageUrl input and unsafe use of shell command execution functions. No fixed version is available yet, and exploitation requires the ability to invoke the open_image_in_browser tool on a server running an OS with commands like open, xdg-open, or start.

Impact Analysis

This vulnerability can have a high impact on confidentiality, integrity, and availability of the affected system.

  • An attacker can execute arbitrary OS commands with the privileges of the MCP server process.
  • This can lead to full host compromise, including unauthorized data exposure.
  • Attackers can modify or delete data, affecting data integrity.
  • Service disruption is possible by terminating processes or consuming system resources.
Detection Guidance

This vulnerability can be detected by attempting to invoke the open_image_in_browser tool with a crafted payload that includes shell metacharacters in the imageUrl parameter. Successful execution of arbitrary commands such as 'id' indicates the presence of the vulnerability.

Detection can be performed by sending a JSON-RPC request to the MCP server with a malicious imageUrl value containing shell metacharacters (e.g., "; id #"). If the server executes the injected command, it confirms the vulnerability.

Static analysis tools like CodeQL and source-code audits can also help identify the vulnerability in the source code, especially in the use of child_process.exec with unsanitized input.

  • Example command to test via JSON-RPC (conceptual): send a request with imageUrl set to something like "http://example.com/image.jpg; id #" and observe if the 'id' command output is returned or logged.
  • Monitor network traffic for suspicious JSON-RPC calls invoking open_image_in_browser with unusual or suspicious imageUrl parameters containing shell metacharacters.
Mitigation Strategies

Immediate mitigation steps include restricting access to the MCP server and the open_image_in_browser tool to trusted clients only.

Disable the browser-opening functionality in deployments where the MCP server is exposed to untrusted networks.

Run the MCP server process under a low-privilege operating system account to limit the impact of any potential exploitation.

  • Do not expose the MCP server to untrusted clients or networks.
  • Restrict or disable the open_image_in_browser tool usage.
  • Apply strict input validation on the imageUrl parameter to reject embedded quotes, control characters, shell metacharacters, and non-HTTP(S) schemes.
  • Await and apply official patches or updates that replace child_process.exec with safer alternatives and enforce strict validation.
Compliance Impact

This vulnerability allows remote attackers to execute arbitrary operating system commands with the privileges of the MCP server process, potentially leading to full host compromise.

Such a compromise can result in unauthorized data exposure, loss of data integrity, and service disruption.

These impacts can negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data confidentiality, integrity, and availability.

Failure to protect against such vulnerabilities could lead to violations of these regulations due to potential data breaches or service outages.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7653. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart