CVE-2026-30625
Published: 15 April 2026
Summary
CVE-2026-30625 is a critical-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates MCP task command and argument inputs to block command injection via whitelisted tools like npm and npx.
Enforces access control policies to prevent unauthenticated remote creation of malicious MCP tasks.
Limits Upsonic process privileges to minimize impact if RCE occurs through exploited MCP tasks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote code execution via command injection in a public-facing MCP server (T1190), directly facilitating arbitrary OS command execution through abused interpreters like npm/npx (T1059).
NVD Description
Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands (npm, npx) accept argument flags…
more
that enable execution of arbitrary OS commands. Maliciously crafted MCP tasks may lead to remote code execution with the privileges of the Upsonic process. In version 0.72.0 Upsonic added a warning about using Stdio servers being able to execute commands directly on the machine.
Deeper analysisAI
CVE-2026-30625 is a remote code execution vulnerability affecting Upsonic version 0.71.6, specifically in its MCP server and task creation functionality. The flaw arises because the application permits users to define MCP tasks using arbitrary command and argument values, despite an existing allowlist. Certain whitelisted commands, such as npm and npx, can accept argument flags that enable the execution of arbitrary operating system commands, bypassing the intended restrictions.
Unauthenticated remote attackers can exploit this vulnerability by submitting maliciously crafted MCP tasks, leading to remote code execution with the privileges of the Upsonic process. The CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects its critical severity, with network accessibility, low complexity, and no privileges required, resulting in high impacts on confidentiality, integrity, and availability. This is classified under CWE-77 (Command Injection).
The Upsonic GitHub commit at https://github.com/Upsonic/Upsonic/commit/855053fce0662227d9246268ff4a0844b481a305 documents the patch, while version 0.72.0 introduced a warning about Stdio servers' ability to execute commands directly on the host machine. Additional details on mitigation appear in the OX Security advisory at https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/.
This vulnerability is part of broader RCE issues in the AI ecosystem supply chain, as highlighted in the referenced advisory. No public information on real-world exploitation is available in the provided details.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp, mcp, mcp