GitHub Advisory — godot-mcp command injection RCE (CVE-2026-25546)

AI relevance: godot-mcp is a Model Context Protocol server that lets AI agents control the Godot engine; RCE here means a single tool call can become full host compromise.

• CVE-2026-25546 is a command injection flaw in godot-mcp prior to 0.1.1, enabling remote code execution.
• Root cause: executeOperation passed user-controlled input (e.g., projectPath) to exec(), which invokes a shell.
• An attacker can inject shell metacharacters (e.g., $(command) or &calc) to run arbitrary commands as the MCP server process.
• Multiple MCP tools are affected because they accept projectPath, including create_scene, add_node, and load_sprite.
• Patch: version 0.1.1 replaces exec() with execFile() to avoid shell interpretation.
• No workaround is listed; upgrading is the only fix.

Why it matters

• MCP servers sit directly behind AI agent tool calls; a single prompt injection that reaches projectPath can become RCE.
• Game engines are increasingly used for agent simulation and robotics; compromising the MCP bridge can expose build machines and CI runners.
• This is a classic input-sanitization miss that likely repeats across MCP tooling.

What to do

• Upgrade to godot-mcp 0.1.1+ immediately.
• Audit MCP tools for any exec/spawn usage with user-controlled strings.
• Run MCP servers with least-privilege accounts and network isolation to limit blast radius.

Sources

• GitHub Advisory — Command Injection in godot-mcp
• Fix PR (#67) — switch to execFile
• Tenable CVE record — CVE-2026-25546