CVE-2026-7061
Published: 26 April 2026
Summary
CVE-2026-7061 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as APIs and Models; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection in the MCP/HTTP component by implementing input validation mechanisms on untrusted inputs to src/services/docker.service.ts.
Establishes a risk-based process to identify, prioritize, and remediate the specific OS command injection flaw in chatgpt-mcp-server up to 0.1.0.
Enables ongoing vulnerability scanning to detect this CVE-2026-7061 instance and trigger timely remediation despite the lack of vendor response.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in public-facing MCP/HTTP component (docker.service.ts) directly enables remote exploitation of public-facing applications (T1190) and arbitrary command execution via command interpreters (T1059).
NVD Description
A weakness has been identified in Toowiredd chatgpt-mcp-server up to 0.1.0. Affected by this issue is some unknown functionality of the file src/services/docker.service.ts of the component MCP/HTTP. This manipulation causes os command injection. Remote exploitation of the attack is possible.…
more
The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-7061 is an OS command injection vulnerability affecting Toowiredd chatgpt-mcp-server versions up to 0.1.0. The issue resides in an unknown functionality within the file src/services/docker.service.ts of the MCP/HTTP component. Published on 2026-04-26, it is rated with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWEs-77 and CWE-78.
The vulnerability enables remote exploitation without authentication or user interaction. Attackers can manipulate inputs to inject OS commands via the affected component, potentially leading to low-level impacts on confidentiality, integrity, and availability, such as limited data exposure, modification, or service disruption on the host system.
Advisories reference the project's GitHub repository and issue #8, where the vulnerability was reported early, but the maintainers have not responded. An exploit is publicly available via wing3e/public_exp/issues/28, and details are documented on VulDB (vuln/359636). No patches or mitigations are mentioned in the available information.
Notably, the exploit's public disclosure increases the risk of real-world attacks, particularly for deployments of this ChatGPT-related MCP server.
Details
- CWE(s)
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp, mcp