CVE-2026-30303
Published: 27 March 2026
Summary
CVE-2026-30303 is a critical-severity OS Command Injection (CWE-78) vulnerability in Matterai Axon Code. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates input validation at command entry points to reject payloads exploiting incompatible parsers and Windows CMD escape sequences like caret (^).
Requires timely remediation of flaws such as the misuse of Unix shell-quote library on Windows, preventing exploitation through patches and verification.
Enforces restrictions on command inputs to authorized whitelisted types, strengthening the auto-approval mechanism against bypass attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of a public-facing application (T1190) via OS command injection into Windows CMD (T1059.003), bypassing whitelist for arbitrary RCE.
NVD Description
The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser (the Unix-based shell-quote library) to analyze commands on the…
more
Windows platform, coupled with a failure to correctly handle Windows CMD-specific escape sequences (^). Attackers can exploit this discrepancy between the parsing logic and the execution environment by constructing payloads such as git log ^" & malicious_command ^". The Axon Code parser is deceived by the escape characters, misinterpreting the malicious command connector (&) as being within a protected string argument and thus auto-approving the command. However, the underlying Windows CMD interpreter ignores the escaped quotes, parsing and executing the subsequent malicious command directly. This allows attackers to achieve arbitrary Remote Code Execution (RCE) after bypassing what appears to be a legitimate Git whitelist check.
Deeper analysisAI
CVE-2026-30303 is an OS Command Injection vulnerability (CWE-78) in the command auto-approval module of Axon Code, published on 2026-03-27. The flaw makes the module's whitelist security mechanism ineffective due to the use of an incompatible Unix-based shell-quote library for command parsing on Windows platforms. This library fails to properly handle Windows CMD-specific escape sequences, such as the caret (^), allowing crafted inputs to bypass validation while being executed differently by the underlying interpreter.
Remote attackers without authentication can exploit this vulnerability by constructing payloads like "git log ^\" & malicious_command ^\"". The Axon Code parser misinterprets the escaped quotes and command connector (&) as part of a protected string argument, auto-approving the input as a legitimate Git command on the whitelist. However, the Windows CMD interpreter disregards the escapes, directly parsing and executing the malicious command. This achieves arbitrary remote code execution (RCE), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Advisories and further details are available in the referenced sources: https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/6 and https://www.matterai.so/.
Details
- CWE(s)