Skip to main content

automagik-genie CVE-2026-30635

| EUVDEUVD-2026-29159 HIGH
OS Command Injection (CWE-78)
2026-05-11 mitre GHSA-64vr-4gr2-m642
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 12, 2026 - 16:31 vuln.today
CVSS changed
May 12, 2026 - 14:22 NVD
8.1 (HIGH)
CVE Published
May 11, 2026 - 00:00 nvd
UNKNOWN (no severity yet)
CVE Published
May 11, 2026 - 00:00 nvd
HIGH 8.1

DescriptionCVE.org

Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the view_task (aka view) in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGE_BASE_URL.

AnalysisAI

Remote code execution in automagik-genie 2.5.27 MCP Server occurs when processing transcripts from attacker-controlled external FORGE_BASE_URL endpoints. Exploitation chains command injection in the readTranscriptFromCommit function's view_task parameter to execute arbitrary system commands on the server. A proof-of-concept exploit exists, though active exploitation has not been confirmed by CISA KEV at time of analysis.

Technical ContextAI

This vulnerability exploits CWE-78 (OS Command Injection) in the Model Context Protocol (MCP) Server component of automagik-genie. The readTranscriptFromCommit function in dist/mcp/server.js improperly sanitizes user input from the view_task (aliased as 'view') parameter before passing it to system command execution. When the application fetches transcript data from an external FORGE_BASE_URL controlled by an attacker, malicious command sequences embedded in the response can break out of the intended command context and execute arbitrary OS commands with the privileges of the MCP Server process. The vulnerability exists specifically in version 2.5.27, affecting the server-side transcript processing pipeline.

RemediationAI

Primary remediation requires upgrading automagik-genie beyond version 2.5.27 to a patched release, though the specific fixed version is not confirmed in available data as no vendor security bulletin was identified. Until a verified patch is released, implement these compensating controls: (1) Disable or restrict the readTranscriptFromCommit functionality if not business-critical, accepting loss of external transcript reading capability. (2) Implement strict allowlist validation for FORGE_BASE_URL to permit only trusted, organization-controlled endpoints, recognizing this reduces integration flexibility with third-party forges. (3) Deploy Web Application Firewall (WAF) rules to inspect and block command injection patterns in view_task parameters, though this may generate false positives requiring tuning. (4) Run the MCP Server process under least-privilege service accounts within restricted containers or sandboxes to limit command execution blast radius, with operational overhead of container management. Monitor the researcher disclosure at https://gist.github.com/spdc-elm/3ddecd10ffa85c5963ab7fe531619875 and the project's official repository for patch announcements.

Share

CVE-2026-30635 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy