Cyber Resilience

CVE-2026-7039

High

Published: 26 April 2026

Published
26 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0010 26.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7039 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-7039 is a command injection vulnerability affecting tufantunc/ssh-mcp versions up to 1.5.0. The flaw exists in the shell.write function of the src/index.ts file, where manipulation of the "Description" argument enables command injection. It is classified under CWE-74 and CWE-77.

The vulnerability requires local access (AV:L) with low privileges (PR:L) and no user interaction (UI:N), carrying a CVSS v3.1 base score of 7.8 (High) due to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). A local attacker could exploit this to inject and execute arbitrary commands on the system.

The project was notified early via GitHub issue #44 but has not responded. No patches or official mitigations are available, and the exploit has been publicly disclosed, making it potentially usable by attackers. Relevant details are documented in the project's GitHub repository and VulDB entries.

EU & UK References

Vulnerability details

A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts. Such manipulation of the argument Description leads to command injection. The attack must be carried out locally.…

more

The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in shell.write allows local arbitrary command execution on the vulnerable process, directly mapping to T1203 (Exploitation for Client Execution) and T1059.004 (Unix Shell) for command interpreter abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3484Shared CWE-74, CWE-77
CVE-2026-7812Shared CWE-74, CWE-77
CVE-2025-24150Shared CWE-77
CVE-2026-7211Shared CWE-74, CWE-77
CVE-2026-2178Shared CWE-74, CWE-77
CVE-2026-2130Shared CWE-74, CWE-77
CVE-2026-7157Shared CWE-74, CWE-77
CVE-2026-6980Shared CWE-74, CWE-77
CVE-2026-7316Shared CWE-74, CWE-77
CVE-2026-7215Shared CWE-74, CWE-77

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by requiring validation and sanitization of the Description argument before passing it to the shell.write function.

prevent

Enforces restrictions on the Description input to block shell metacharacters and prevent injection into shell.write.

preventrecover

Mandates identification, reporting, and correction of the specific command injection flaw in ssh-mcp up to version 1.5.0.

References