CVE-2026-57860
Received Received - Intake

Arbitrary Code Execution in ForgeCode AI Pair-Programming CLI

Vulnerability report for CVE-2026-57860, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

ForgeCode (tailcallhq/forgecode), an AI pair-programming CLI, automatically loads and executes the MCP servers defined in a repository's .mcp.json file on startup without user confirmation. A malicious repository can supply a crafted .mcp.json whose mcpServers entries specify arbitrary command and args values (for example, command: bash with args: ['-c', 'touch /tmp/pwned']). When a user runs the forge CLI inside a cloned untrusted repository, the specified commands are spawned with the invoking user's privileges, resulting in arbitrary code execution. This provides a reliable initial-access and persistence primitive against developers who evaluate untrusted repositories with ForgeCode.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
tailcallhq forgecode v2.12.10
tailcallhq forgecode to 2.11.1 (inc)
tailcallhq forge v2.11.1
tailcallhq forgecode *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

ForgeCode automatically loads and executes MCP servers defined in a repository's .mcp.json file without user confirmation. A malicious repository can include a crafted .mcp.json file with arbitrary commands, which ForgeCode runs with the user's privileges, leading to arbitrary code execution.

Detection Guidance

Check for unexpected .mcp.json files in project directories, especially in untrusted repositories. Look for recently modified files with suspicious command entries like 'bash -c' or other arbitrary commands. Review system logs for unusual child processes spawned by forge or related CLI tools.

Impact Analysis

This vulnerability allows attackers to execute arbitrary commands on your system with your privileges. This could lead to data theft, credential leakage, or establishing persistent access like reverse shells. It primarily affects users who clone and run untrusted repositories with ForgeCode.

Compliance Impact

This vulnerability could lead to unauthorized data access or exfiltration, violating GDPR's data protection requirements and HIPAA's safeguards for protected health information. Organizations using ForgeCode may face compliance violations if sensitive data is compromised due to this issue.

Mitigation Strategies

Update ForgeCode to the latest version where the trust prompt system is implemented. Avoid running forge in untrusted directories. If updating is not possible, manually inspect .mcp.json files before execution or disable automatic MCP server loading in configuration.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57860. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart