CVE-2026-10279
OS Command Injection in wezterm-mcp
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hiraishikentaro | wezterm-mcp | 0.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows remote attackers to execute arbitrary OS commands with the privileges of the MCP server process, potentially leading to unauthorized access, modification, or disruption of sensitive data and system availability.
Such unauthorized access and control can compromise the confidentiality, integrity, and availability of data, which are core principles in compliance frameworks like GDPR and HIPAA.
Therefore, exploitation of this vulnerability could lead to violations of these regulations by exposing personal or protected health information, failing to maintain data integrity, or causing service disruptions.
Can you explain this vulnerability to me?
This vulnerability exists in the wezterm-mcp tool, specifically in the functions switch_pane and write_to_specific_pane that handle the pane_id argument.
Although the pane_id is supposed to be a number, the runtime does not enforce this, allowing attackers to inject shell metacharacters into the pane_id parameter.
This leads to OS command injection because the pane_id is passed directly into shell command strings executed via child_process.exec, enabling arbitrary command execution with the privileges of the MCP server process.
An attacker can exploit this remotely by sending crafted JSON-RPC requests with malicious pane_id values to execute arbitrary commands on the host.
How can this vulnerability impact me? :
This vulnerability can have a high impact on confidentiality, integrity, and availability of the affected system.
- Attackers can execute arbitrary commands on the host with the privileges of the MCP server process.
- They can read local files, modify or delete files, execute malicious payloads, or disrupt the host's normal operation.
- The exploit is publicly available and can be triggered remotely, increasing the risk of compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable wezterm-mcp server and attempting to exploit the command injection via the pane_id parameter.
A practical detection method is to send a crafted JSON-RPC request with a malicious pane_id value that includes shell metacharacters, for example: 1; echo WEZTERM_MCP_TEST > wezterm-mcp-poc.txt
If the file wezterm-mcp-poc.txt is created in the server's working directory, it confirms the vulnerability.
This can be done using tools like curl or any JSON-RPC client to send the crafted request to the MCP server.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include not exposing the wezterm-mcp server to untrusted clients and blocking raw JSON-RPC access from untrusted users.
Run the MCP server under a low-privilege user account to limit the impact of a potential exploit.
The recommended fix involves enforcing runtime type validation for the pane_id parameter, replacing child_process.exec with safer alternatives like execFile or spawn, and avoiding shell interpolation of attacker-controlled values.
Additionally, adding regression tests with shell metacharacters can help prevent reintroduction of this vulnerability.