Cyber Resilience

CVE-2026-7220

Medium

Published: 28 April 2026

Published
28 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0212 84.5th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7220 is a medium-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A vulnerability identified as CVE-2026-7220 affects the jackwrichards FastlyMCP project up to commit 6f3d0b0e654fc51076badc7fa16c03c461f95620. It resides in an unknown function within the fastly-mcp.mjs file of the fastly_cli Tool component, where manipulation of the command argument enables OS command injection. The issue stems from improper handling of user-supplied input and is classified under CWE-77 and CWE-78. The product follows a rolling release model, so no specific version numbers are provided for affected or fixed releases.

Remote attackers can exploit the flaw without requiring authentication or user interaction, allowing them to execute arbitrary operating system commands. Successful exploitation yields limited impacts on confidentiality, integrity, and availability according to the CVSS 5.5 rating, with public exploit code already disclosed that may be leveraged in attacks.

The referenced GitHub repository and associated issue report indicate that maintainers were notified early via an issue submission, yet no response or patch has been issued. No mitigation guidance or updated releases are documented in the available references.

EPSS scores remain low, with a current value of 0.0212 and a peak of 0.0218, showing no material increase that would indicate rising exploitation interest.

EU & UK References

Vulnerability details

A vulnerability has been found in jackwrichards FastlyMCP up to 6f3d0b0e654fc51076badc7fa16c03c461f95620. This impacts an unknown function of the file fastly-mcp.mjs of the component fastly_cli Tool. The manipulation of the argument command leads to os command injection. It is possible to…

more

initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

OS command injection in a remotely accessible component allows arbitrary OS command execution with no auth or user interaction, directly enabling T1190 (Exploit Public-Facing Application) and T1059.004 (Unix Shell) for command interpreter abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-7066Shared CWE-77, CWE-78
CVE-2026-5741Shared CWE-77, CWE-78
CVE-2026-7446Shared CWE-77, CWE-78
CVE-2026-7416Shared CWE-77, CWE-78
CVE-2026-9454Shared CWE-77, CWE-78
CVE-2026-6116Shared CWE-77, CWE-78
CVE-2026-6158Shared CWE-77, CWE-78
CVE-2026-7138Shared CWE-77, CWE-78
CVE-2025-9387Shared CWE-77, CWE-78
CVE-2025-15472Shared CWE-77, CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of the specific OS command injection flaw in the fastly_cli tool up to the affected commit.

prevent

Mandates input validation and error handling for the 'command' argument at system entry points to detect and prevent OS command injection attacks.

prevent

Enforces least privilege on the process handling the vulnerable fastly-mcp.mjs function, limiting the scope and impact of any successfully injected OS commands.

References