Cyber Resilience

CVE-2026-7061

Medium

Published: 26 April 2026

Published
26 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0171 82.8th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7061 is a medium-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

A weakness has been identified in Toowiredd chatgpt-mcp-server up to version 0.1.0, specifically in the src/services/docker.service.ts file of the MCP/HTTP component. The issue stems from improper handling that permits OS command injection, tracked under CWE-77 and CWE-78, and carries a CVSS 4.0 score of 5.5 reflecting network-accessible attack conditions without authentication requirements.

Remote attackers can exploit the flaw by supplying crafted input that results in arbitrary command execution on the host system. Public exploit code has already been released, enabling straightforward attacks against any reachable instance of the affected server.

The project maintainers were notified via an issue report but have not issued a response or patch. The associated EPSS score remains low, moving only from 0.0171 to a peak of 0.0176 with no material increase after disclosure.

EU & UK References

Vulnerability details

A weakness has been identified in Toowiredd chatgpt-mcp-server up to 0.1.0. Affected by this issue is some unknown functionality of the file src/services/docker.service.ts of the component MCP/HTTP. This manipulation causes os command injection. Remote exploitation of the attack is possible.…

more

The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: chatgpt, mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

OS command injection in public-facing MCP/HTTP component (docker.service.ts) directly enables remote exploitation of public-facing applications (T1190) and arbitrary command execution via command interpreters (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42271Shared CWE-77, CWE-78
CVE-2025-59736Shared CWE-77, CWE-78
CVE-2025-44015Shared CWE-77, CWE-78
CVE-2025-59740Shared CWE-77, CWE-78
CVE-2026-7064Shared CWE-77, CWE-78
CVE-2026-4585Shared CWE-77, CWE-78
CVE-2026-7698Shared CWE-77, CWE-78
CVE-2025-49836Shared CWE-77
CVE-2026-1544Shared CWE-77, CWE-78
CVE-2025-1536Shared CWE-77, CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection in the MCP/HTTP component by implementing input validation mechanisms on untrusted inputs to src/services/docker.service.ts.

prevent

Establishes a risk-based process to identify, prioritize, and remediate the specific OS command injection flaw in chatgpt-mcp-server up to 0.1.0.

preventdetect

Enables ongoing vulnerability scanning to detect this CVE-2026-7061 instance and trigger timely remediation despite the lack of vendor response.

References