ChatboxAI — MCP StdioClientTransport OS Command Injection (CVE-2026-6130)
ChatboxAI — MCP StdioClientTransport OS Command Injection (CVE-2026-6130)
AI relevance: This vulnerability in a popular AI chat interface with 39.4k GitHub stars demonstrates how MCP (Model Context Protocol) server implementations can introduce critical security risks into AI agent ecosystems, enabling remote code execution attacks.
A high severity OS command injection vulnerability (CVE-2026-6130, CVSS 7.3) has been discovered in ChatboxAI's chatbox application up to version 1.20.0, affecting the Model Context Protocol (MCP) StdioClientTransport implementation and exposing AI agent environments to remote code execution.
Vulnerability details
- CVE-2026-6130: High severity (CVSS 7.3) OS command injection
- Affected component: StdioClientTransport in src/main/mcp/ipc-stdio-transport.ts
- Attack vector: Remote exploitation via manipulated args/env parameters
- Impact: Full OS command execution with application privileges
- Project popularity: 39.4k GitHub stars, widely used AI chat interface
- Disclosure status: Publicly disclosed April 12, 2026, no vendor response
- CWE classification: CWE-77 (Command Injection)
Why it matters
MCP servers act as critical bridges between AI agents and external systems, making them high-value targets for attackers. This vulnerability demonstrates how improper input validation in MCP transport layers can expose entire AI agent ecosystems to compromise. The widespread adoption of ChatboxAI (39.4k GitHub stars) means this vulnerability could affect numerous AI development and deployment environments.
Command injection vulnerabilities in MCP implementations are particularly dangerous because they can provide attackers with persistent access to AI agent environments, potentially enabling data exfiltration, privilege escalation, or lateral movement through connected systems.
What to do
- Immediate upgrade: Update ChatboxAI to versions beyond 1.20.0 when available
- Input validation: Implement strict input sanitization for all MCP transport parameters
- Sandbox execution: Run MCP servers in isolated containers with minimal privileges
- Network segmentation: Restrict MCP server network access to only necessary endpoints
- Monitoring: Deploy runtime security monitoring for suspicious process execution
- Supply chain audit: Review all MCP server dependencies for similar vulnerabilities
- Threat modeling: Include MCP servers in AI infrastructure threat models