GitHub Advisory — sf-mcp-server command injection RCE (CVE-2026-26029)

AI relevance: sf-mcp-server is a Salesforce Model Context Protocol server for Claude Desktop, so a single tool call can become shell access on the MCP host.

• CVE-2026-26029 is a command injection flaw in sf-mcp-server that enables arbitrary command execution.
• Root cause: the query_records tool built a Salesforce CLI command string and executed it via child_process.exec.
• User-controlled fields like targetOrg, sObject, fields, where, orderBy, and limit flowed directly into the shell command.
• Shell metacharacters (;, &, |) can be injected to run additional commands with the MCP server’s privileges.
• The advisory includes a PoC showing a malicious targetOrg value executing whoami on the host.
• Fix: the patch replaces exec with execFile and passes arguments as an array to avoid shell interpretation.

Why it matters

• MCP servers sit on the boundary between agent intent and host execution; command injection turns prompt-level control into full RCE.
• Salesforce access implies sensitive CRM data; a compromised MCP host can pivot into data exfiltration or credential theft.
• This mirrors a wider MCP pattern: classic injection bugs in tool wrappers that assume agent-provided strings are safe.

What to do

• Update to a patched release or apply the commit that switches to execFile.
• Audit MCP tools for any exec/spawn usage with user-controlled input.
• Run MCP servers with least-privilege service accounts and filesystem/network isolation.

Sources

• GitHub Advisory — Command Injection in sf-mcp-server
• Fix commit — switch to execFile
• Tenable CVE record — CVE-2026-26029