GitLab Advisory — mcp-nmap-server command injection (CVE-2026-3484)
AI relevance: MCP tool servers often run beside agent runtimes; a command injection in an Nmap tool can let attacker-controlled prompts execute shell commands.
- CVE-2026-3484 affects PhialsBasement nmap-mcp-server up to commit bee6d235.
- The vulnerable path is
child_process.execinsidesrc/index.tsin the Nmap CLI command handler. - Improper input handling enables command injection from remote requests.
- The advisory notes a rolling-release model, so version numbers are not provided.
- A patch is available as commit 30a6b9e1.
Security impact
Command injection inside an MCP server is effectively a remote shell on the agent host. The difference with AI tooling is that command execution can be triggered by the model itself — whether via direct prompt injection or misaligned tool routing. If an attacker can influence a model’s tool call, they can turn a benign “scan host” request into arbitrary execution. In practical terms: once the MCP server is exposed, the agent becomes a programmable RCE surface.
This also breaks the assumptions of least privilege. Nmap is often installed with elevated permissions or run on hosts with broad network access. That means command injection can be combined with network discovery, internal pivoting, and credential harvesting. For AI deployments, it turns the model into a gateway for infrastructure discovery and exploitation, not just information retrieval.
Mitigation strategy
Upgrade the MCP server version and harden command execution. Use strict argument allowlists (no raw shell), run the MCP server under a low-privilege user, and restrict outbound network access. If possible, isolate scanning tools in containers or sandboxes with explicit egress policies.
Why it matters
- MCP servers are commonly wired into agent workflows; a shell injection turns a prompt into remote code execution.
- Recon tools like Nmap often run with elevated network access, increasing blast radius.
What to do
- Patch: apply the upstream fix (commit 30a6b9e1) or update to a patched release if available.
- Constrain execution: run MCP tool servers in a locked-down container with no host-level privileges.
- Validate inputs: restrict tool arguments to allowlisted flags and targets.