Sunwood-ai-labs MCP Server — CVE-2026-7593 OS Command Injection
A newly disclosed vulnerability in an open-source MCP server allows remote, unauthenticated OS command injection — underscoring the risk of unvetted tool integrations in AI agent ecosystems.
Details
- CVE-2026-7593 affects Sunwood-ai-labs
command-executor-mcp-serverup to version 0.1.0, with a CVSS 4.0 score of 6.9 (Medium). - The flaw resides in the
execute_commandfunction insrc/index.ts, which passes user-controlled input directly to the OS shell without sanitization. - Remote exploitation requires no authentication and no user interaction — any agent connected to this MCP server can be weaponized to execute arbitrary commands on the host.
- The project received an issue report about the vulnerability but has not responded or released a patch.
- Public exploit details have been disclosed, increasing the risk of opportunistic abuse.
Why It Matters
- This is the MCP supply-chain problem in miniature: a single unmaintained server in the ecosystem becomes a direct RCE vector for any AI agent that loads it.
- The
command-executorpattern — giving an LLM agent raw shell access — is inherently dangerous. Combined with no input validation, it is a guaranteed pivot point. - As the MCP ecosystem grows, organizations need automated inventory and vetting of third-party MCP servers, not just trust in open-source availability.
What to Do
- Audit your MCP server configurations: remove or sandbox any server that executes OS commands without input validation.
- If you use
command-executor-mcp-server, disable it immediately until a patch is available. - Prefer MCP servers that implement allowlists for executable commands rather than unrestricted shell access.