Cyber Resilience

CVE-2026-7066

Medium

Published: 27 April 2026

Published
27 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0212 84.5th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7066 is a medium-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability identified as CVE-2026-7066 affects the choieastsea simple-openstack-mcp project up to commit 767b2f4a8154cca344344b9725537a58399e6036. The issue resides in the exec_openstack function within server.py, where improper handling of input enables OS command injection, corresponding to CWE-77 and CWE-78. The product follows a rolling-release model, so no specific version numbers distinguish affected or fixed releases.

The flaw can be exploited remotely by unauthenticated attackers who supply crafted input to trigger arbitrary operating-system commands. A public exploit is already available, and the CVSS 4.0 score of 5.5 reflects limited impacts to confidentiality, integrity, and availability without requiring user interaction or privileges.

The project was notified of the problem through an issue report but has not issued a response or patch. Reference materials, including the GitHub repository and associated Vuldb entries, contain no mitigation guidance or updated code. The associated EPSS score has remained essentially flat between 0.0212 and a peak of 0.0218, indicating no notable increase in observed exploitation interest.

EU & UK References

Vulnerability details

A vulnerability was found in choieastsea simple-openstack-mcp up to 767b2f4a8154cca344344b9725537a58399e6036. The affected element is the function exec_openstack of the file server.py. The manipulation results in os command injection. It is possible to launch the attack remotely. The exploit has been…

more

made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in remotely accessible server.py endpoint enables T1190 (Exploit Public-Facing Application) for initial remote access and T1059.004 (Unix Shell) for arbitrary OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-5741Shared CWE-77, CWE-78
CVE-2026-7446Shared CWE-77, CWE-78
CVE-2026-7416Shared CWE-77, CWE-78
CVE-2026-7220Shared CWE-77, CWE-78
CVE-2026-9454Shared CWE-77, CWE-78
CVE-2026-6116Shared CWE-77, CWE-78
CVE-2026-6158Shared CWE-77, CWE-78
CVE-2026-7138Shared CWE-77, CWE-78
CVE-2025-9387Shared CWE-77, CWE-78
CVE-2025-15472Shared CWE-77, CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs to the exec_openstack function in server.py to prevent OS command injection.

prevent

Ensures timely remediation of the known flaw up to commit 767b2f4a8154cca344344b9725537a58399e6036 through patching or code correction.

prevent

Restricts the format, length, and types of remotely submitted inputs to block common command injection payloads.

References