CVE-2026-6942 — radare2-mcp Command Injection
A critical OS command injection vulnerability in radare2-mcp, the Model Context Protocol server for the radare2 reverse-engineering framework, allows unauthenticated remote code execution with a CVSS v3.1 score of 9.8.
The vulnerability
- CVE: CVE-2026-6942
- CVSS: 9.8 (Critical) v3.1 / 9.3 v4.0
- Affected versions: radare2-mcp ≤ 1.6.0
- Fixed in: version 1.7.0
- Root cause: The
r2_cmd_str()function passes user-controlled JSON-RPC parameters without sanitizing shell metacharacters (;,|,&,$, backticks,!). - Attack vector: Remote, unauthenticated — the service listens on a network port by default with no auth.
- Impact: Arbitrary OS command execution, full system compromise.
- Discovered by: Manthan Ghasadiya
Why it matters
radare2 is widely used for security analysis, malware reverse-engineering, and CTF work. Running an MCP server for it means AI agents can invoke binary analysis tools — but this CVE turns the MCP interface into a direct shell execution path. The default network exposure with no authentication means any internet-facing instance is trivially exploitable. This is another example of the MCP ecosystem's pattern: wrapping existing tools with network-accessible interfaces that inherit the tool's full system privileges without adding access controls.
What to do
- Upgrade radare2-mcp to 1.7.0+ immediately. The fix adds sandboxing via
cfg.sandboxandcfg.sandbox.grain, restrictingexecandsocketcapabilities by default. - If you can't upgrade immediately, firewall the JSON-RPC port and allow only trusted IPs.
- Disable the radare2-mcp service if not actively needed, or run it in a container with minimal privileges.
- Monitor for JSON-RPC requests containing shell metacharacters in the
paramsfield.