INCIBE-CERT — github-kanban-mcp-server command injection (CVE-2026-0756)

2026-01-31 • Category: AI CVEs

AI relevance: this affects an MCP server used to let LLM agents manage GitHub issues; if exploited, it could turn “agent tooling” into remote code execution on the MCP server host.

• Advisory: INCIBE-CERT reports a critical vulnerability in github-kanban-mcp-server tracked as CVE-2026-0756.
• Impact: an attacker could potentially execute arbitrary code in the context of the service account running the MCP server.
• Root cause (per advisory): insufficient validation of a user-provided string before using it in a system call.
• Where it hits: the issue is described as being in handling of the create_issue parameter.
• Patch status: the advisory states there is currently no fix available.
• Mitigation guidance: restrict interaction/exposure as the primary mitigation until patched.

Why it matters

• MCP servers are control-plane infrastructure: they sit between agents and capabilities (GitHub, files, cloud APIs). RCE here can become a cross-agent compromise.
• AI ops blast radius: teams increasingly deploy MCP servers centrally for multiple agents; a single vulnerable server can become a shared failure point.

What to do

1. Do not expose the server to untrusted networks/clients; prefer localhost or private networks with strict firewalling.
2. Run as least-privilege: separate service accounts; no access to unrelated secrets; minimize filesystem + network permissions.
3. Add compensating controls: mTLS/auth at the transport layer, request allowlists, and aggressive rate-limiting.
4. Track upstream: monitor the repo for a fixed release and update immediately when available.

Sources

• INCIBE-CERT: Inyección asíncrona de comandos en el servidor github-kanban-mcp
• GitHub repo: Sunwood-ai-labs/github-kanban-mcp-server