CVE-2026-7812
Published: 05 May 2026
Summary
CVE-2026-7812 is a high-severity Injection (CWE-74) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by validating the user-controlled 'operation' argument in git_operation before execution to block malicious payloads.
Requires timely remediation of the known command injection flaw in code-mcp's git_operation function through patching or compensatory controls.
Limits the impact of injected commands by enforcing least privilege on the server process handling the vulnerable git_operation function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in a remotely accessible, unauthenticated MCP server component directly enables T1190 (Exploit Public-Facing Application) for initial access and results in arbitrary command execution that maps to T1059 (Command and Scripting Interpreter).
NVD Description
A vulnerability was found in 54yyyu code-mcp up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The impacted element is the function git_operation of the file src/code_mcp/server.py of the component MCP Tool. Performing a manipulation of the argument operation results in command injection. The attack can…
more
be initiated remotely. The exploit has been made public and could be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-7812 is a command injection vulnerability in the 54yyyu code-mcp project, affecting commits up to 4cfc4643541a110c906d93635b391bf7e357f4a8. The flaw resides in the git_operation function within the file src/code_mcp/server.py of the MCP Tool component. By manipulating the 'operation' argument, attackers can inject arbitrary commands, as classified under CWE-74 and CWE-77. The project uses continuous delivery with rolling releases, so no specific affected or patched versions are available.
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity, earning it a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation allows limited impacts on confidentiality, integrity, and availability, such as executing unauthorized commands on the server.
Advisories from VulDB and the project's GitHub repository indicate the issue was reported early via issue #5, but the maintainers have not responded or issued patches. No mitigation steps or updated releases are detailed due to the rolling release model.
The exploit has been made public and could be used, though no real-world exploitation in the wild is noted.
Details
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp, mcp