CVE-2026-25546

High

Published: 04 February 2026

Published

04 February 2026

Modified

18 March 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25546 is a high-severity OS Command Injection (CWE-78) vulnerability in Coding-Solo Godot Mcp. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 8.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Implements input validation mechanisms to sanitize user-controlled parameters like projectPath before passing to exec(), directly preventing command injection with shell metacharacters.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and correction of flaws like this command injection vulnerability by patching to Godot MCP version 0.1.1 or later.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the MCP server process to limit the impact of remote code execution even if command injection succeeds.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Command injection into exec() directly enables arbitrary shell command execution (T1059) and constitutes exploitation of a client application vulnerability to achieve code execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Godot MCP is a Model Context Protocol (MCP) server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input (e.g., projectPath) directly to…

exec(), which spawns a shell. An attacker could inject shell metacharacters like $(command) or &calc to execute arbitrary commands with the privileges of the MCP server process. This affects any tool that accepts projectPath, including create_scene, add_node, load_sprite, and others. This issue has been patched in version 0.1.1.

Deeper analysisAI

CVE-2026-25546 is a command injection vulnerability in Godot MCP, a Model Context Protocol (MCP) server designed for interacting with the Godot game engine. In versions prior to 0.1.1, the executeOperation function in godot-mcp passes user-controlled input, such as the projectPath parameter, directly to exec(), which spawns a shell without proper sanitization. This allows injection of shell metacharacters, such as $(command) or &calc, leading to remote code execution with the privileges of the MCP server process. The flaw affects any tools that accept projectPath, including create_scene, add_node, load_sprite, and others, and is classified under CWE-78 with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker with local access can exploit this vulnerability by providing malicious input through affected tools, requiring low complexity and user interaction, such as tricking a user into specifying a crafted projectPath. No privileges are needed (PR:N), enabling execution of arbitrary commands on the host system under the MCP server's context. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially allowing full compromise of the system running the server.

The vulnerability has been patched in Godot MCP version 0.1.1, as detailed in the project's GitHub security advisory (GHSA-8jx2-rhfh-q928), associated issue (#64), pull request (#67), and patching commit (21c785d923cfdb471ea60323c13807d62dfecc5a). Security practitioners should update to 0.1.1 or later and review usage of projectPath in MCP interactions to prevent injection risks.

Details

CWE(s): CWE-78

Affected Products

coding-solo

godot mcp

≤ 0.1.1

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: mcp, model context protocol, mcp, mcp, mcp

CVEs Like This One

CVE-2025-6514Shared CWE-78

CVE-2025-66401Shared CWE-78

CVE-2026-26029Shared CWE-78

CVE-2024-14010Shared CWE-78

CVE-2025-54074Shared CWE-78

CVE-2025-65480Shared CWE-78

CVE-2026-26331Shared CWE-78

CVE-2025-64109Shared CWE-78

CVE-2026-34935Shared CWE-78

CVE-2026-23882Shared CWE-78

References

https://github.com/Coding-Solo/godot-mcp/commit/21c785d923cfdb471ea60323c13807d62dfecc5a
Patch · security-advisories@github.com
https://github.com/Coding-Solo/godot-mcp/issues/64
Issue Tracking · security-advisories@github.com
https://github.com/Coding-Solo/godot-mcp/pull/67
Issue Tracking, Patch · security-advisories@github.com
https://github.com/Coding-Solo/godot-mcp/security/advisories/GHSA-8jx2-rhfh-q928
Vendor Advisory · security-advisories@github.com