CVE-2026-7061
Published: 26 April 2026
Summary
CVE-2026-7061 is a medium-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
A weakness has been identified in Toowiredd chatgpt-mcp-server up to version 0.1.0, specifically in the src/services/docker.service.ts file of the MCP/HTTP component. The issue stems from improper handling that permits OS command injection, tracked under CWE-77 and CWE-78, and carries a CVSS 4.0 score of 5.5 reflecting network-accessible attack conditions without authentication requirements.
Remote attackers can exploit the flaw by supplying crafted input that results in arbitrary command execution on the host system. Public exploit code has already been released, enabling straightforward attacks against any reachable instance of the affected server.
The project maintainers were notified via an issue report but have not issued a response or patch. The associated EPSS score remains low, moving only from 0.0171 to a peak of 0.0176 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25731
Vulnerability details
A weakness has been identified in Toowiredd chatgpt-mcp-server up to 0.1.0. Affected by this issue is some unknown functionality of the file src/services/docker.service.ts of the component MCP/HTTP. This manipulation causes os command injection. Remote exploitation of the attack is possible.…
more
The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: chatgpt, mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing MCP/HTTP component (docker.service.ts) directly enables remote exploitation of public-facing applications (T1190) and arbitrary command execution via command interpreters (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents OS command injection in the MCP/HTTP component by implementing input validation mechanisms on untrusted inputs to src/services/docker.service.ts.
Establishes a risk-based process to identify, prioritize, and remediate the specific OS command injection flaw in chatgpt-mcp-server up to 0.1.0.
Enables ongoing vulnerability scanning to detect this CVE-2026-7061 instance and trigger timely remediation despite the lack of vendor response.