Cyber Resilience

CVE-2026-30625

CriticalRCE

Published: 15 April 2026

Published
15 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0097 57.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30625 is a critical-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-30625 is a remote code execution vulnerability affecting Upsonic version 0.71.6, specifically in its MCP server and task creation functionality. The flaw arises because the application permits users to define MCP tasks using arbitrary command and argument values, despite an existing allowlist. Certain whitelisted commands, such as npm and npx, can accept argument flags that enable the execution of arbitrary operating system commands, bypassing the intended restrictions.

Unauthenticated remote attackers can exploit this vulnerability by submitting maliciously crafted MCP tasks, leading to remote code execution with the privileges of the Upsonic process. The CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects its critical severity, with network accessibility, low complexity, and no privileges required, resulting in high impacts on confidentiality, integrity, and availability. This is classified under CWE-77 (Command Injection).

The Upsonic GitHub commit at https://github.com/Upsonic/Upsonic/commit/855053fce0662227d9246268ff4a0844b481a305 documents the patch, while version 0.72.0 introduced a warning about Stdio servers' ability to execute commands directly on the host machine. Additional details on mitigation appear in the OX Security advisory at https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/.

This vulnerability is part of broader RCE issues in the AI ecosystem supply chain, as highlighted in the referenced advisory. No public information on real-world exploitation is available in the provided details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands (npm, npx) accept argument flags…

more

that enable execution of arbitrary OS commands. Maliciously crafted MCP tasks may lead to remote code execution with the privileges of the Upsonic process. In version 0.72.0 Upsonic added a warning about using Stdio servers being able to execute commands directly on the machine.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

The vulnerability enables unauthenticated remote code execution via command injection in a public-facing MCP server (T1190), directly facilitating arbitrary OS command execution through abused interpreters like npm/npx (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30616Shared CWE-77
CVE-2025-61492Shared CWE-77
CVE-2026-30624Shared CWE-77
CVE-2026-30615Shared CWE-77
CVE-2026-22688Shared CWE-77
CVE-2026-7316Shared CWE-77
CVE-2026-7593Shared CWE-77
CVE-2026-44869Shared CWE-77
CVE-2025-49836Shared CWE-77
CVE-2026-44866Shared CWE-77

Affected Assets

In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates MCP task command and argument inputs to block command injection via whitelisted tools like npm and npx.

prevent

Enforces access control policies to prevent unauthenticated remote creation of malicious MCP tasks.

prevent

Limits Upsonic process privileges to minimize impact if RCE occurs through exploited MCP tasks.

References