Cyber Resilience

CVE-2026-2131

MediumPublic PoC

Published: 08 February 2026

Published
08 February 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1505 96.3th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-2131 is a medium-severity Command Injection (CWE-77) vulnerability in Xixianliang Harmonyos Mcp Server. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked in the top 3.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2131, published on 2026-02-08, is an OS command injection vulnerability in XixianLiang HarmonyOS-mcp-server version 0.1.0. The issue affects the input_text function, where manipulation of the text argument enables command injection. It carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) and maps to CWEs-77 and CWE-78.

Remote exploitation is possible by an attacker possessing low privileges. Successful attacks allow limited impacts on confidentiality, integrity, and availability via injected OS commands.

Advisories and further details, including a public exploit, are documented in references such as https://github.com/scanleale/MCP_sec/blob/main/HarmonyOS-mcp-server%20RCE%20vulnerability.md, https://vuldb.com/?ctiid.344766, https://vuldb.com/?id.344766, and https://vuldb.com/?submit.747209. The exploit is publicly available and might be used.

The vulnerability description notes that remote exploitation is feasible, with the public exploit increasing potential for real-world abuse.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was identified in XixianLiang HarmonyOS-mcp-server 0.1.0. This vulnerability affects the function input_text. The manipulation of the argument text leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be…

more

used.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

OS command injection directly enables arbitrary Unix shell command execution (T1059.004) via exploitation of the remote service (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-26068Shared CWE-77, CWE-78
CVE-2025-50989Shared CWE-77, CWE-78
CVE-2026-4558Shared CWE-77, CWE-78
CVE-2026-41497Shared CWE-77, CWE-78
CVE-2026-7416Shared CWE-77, CWE-78
CVE-2026-7066Shared CWE-77, CWE-78
CVE-2026-5741Shared CWE-77, CWE-78
CVE-2026-5974Shared CWE-77, CWE-78
CVE-2026-7446Shared CWE-77, CWE-78
CVE-2026-7220Shared CWE-77, CWE-78

Affected Assets

xixianliang
harmonyos mcp server
0.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by requiring validation and sanitization of the untrusted text argument in the input_text function.

prevent

Remediates the specific flaw in HarmonyOS-mcp-server 0.1.0 by identifying, reporting, and correcting the command injection vulnerability.

prevent

Enforces restrictions such as format and content checks on the text input at system boundaries to block command injection payloads.

References