Offensive Security — MCP server command injection vulnerabilities CVE-2026-5007 and CVE-2026-5023
AI relevance: MCP servers form the critical tooling infrastructure that AI agents rely on for real-world operations, making command injection vulnerabilities particularly dangerous as they can turn trusted agent tools into attack vectors.
Two newly disclosed vulnerabilities in popular MCP (Model Context Protocol) servers demonstrate the ongoing security challenges in AI agent tooling ecosystems:
CVE-2026-5007: kazuph/mcp-docs-rag Command Injection
- CVSS Score: Medium severity
- Affected: mcp-docs-rag versions ≤ 0.5.0
- Vulnerable Functions: cloneRepository in src/index.ts
- Attack Vector: Local access required
- Root Cause: Unsafe use of child_process.exec with user-controlled input in add_git_repository and add_text_file tools
CVE-2026-5023: DeDeveloper23/codebase-mcp OS Command Injection
- CVSS Score: Medium severity
- Affected: Rolling release codebase (no fixed version yet)
- Vulnerable Functions: getCodebase, getRemoteCodebase, saveCodebase in src/tools/codebase.ts
- Attack Vector: Local attacker with limited privileges
- Impact: Arbitrary OS command execution leading to potential privilege escalation
Why It Matters
- MCP servers operate with the same privileges as the AI agent process, making command injection particularly dangerous
- These vulnerabilities affect document retrieval and codebase management tools — common in RAG and development workflows
- Both projects were notified through early issue reports but haven't released patches yet
- Public disclosure increases exploitation risk as attackers become aware of the vulnerabilities
- The local attack vector means these are primarily supply chain risks rather than remote exploits
What to Do
- Immediate: Audit your MCP server dependencies for these specific packages
- Mitigation: Remove or disable affected MCP servers until patches are available
- Detection: Monitor for suspicious child process execution patterns
- Prevention: Implement strict input validation and use child_process.execFile instead of exec
- Isolation: Run MCP servers in sandboxed environments with minimal privileges