CVE-2026-7039
Published: 26 April 2026
Summary
CVE-2026-7039 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-7039 is a command injection vulnerability affecting tufantunc/ssh-mcp versions up to 1.5.0. The flaw exists in the shell.write function of the src/index.ts file, where manipulation of the "Description" argument enables command injection. It is classified under CWE-74 and CWE-77.
The vulnerability requires local access (AV:L) with low privileges (PR:L) and no user interaction (UI:N), carrying a CVSS v3.1 base score of 7.8 (High) due to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). A local attacker could exploit this to inject and execute arbitrary commands on the system.
The project was notified early via GitHub issue #44 but has not responded. No patches or official mitigations are available, and the exploit has been publicly disclosed, making it potentially usable by attackers. Relevant details are documented in the project's GitHub repository and VulDB entries.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25716
Vulnerability details
A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts. Such manipulation of the argument Description leads to command injection. The attack must be carried out locally.…
more
The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in shell.write allows local arbitrary command execution on the vulnerable process, directly mapping to T1203 (Exploitation for Client Execution) and T1059.004 (Unix Shell) for command interpreter abuse.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by requiring validation and sanitization of the Description argument before passing it to the shell.write function.
Enforces restrictions on the Description input to block shell metacharacters and prevent injection into shell.write.
Mandates identification, reporting, and correction of the specific command injection flaw in ssh-mcp up to version 1.5.0.