Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Command injection vulnerability in automagik-genie 2.5.27 MCP Server allows attackers to execute arbitrary commands via the view_task (aka view) in the readTranscriptFromCommit function in dist/mcp/server.js when a user reads from an external FORGE_BASE_URL.
AnalysisAI
Remote code execution in automagik-genie 2.5.27 MCP Server occurs when processing transcripts from attacker-controlled external FORGE_BASE_URL endpoints. Exploitation chains command injection in the readTranscriptFromCommit function's view_task parameter to execute arbitrary system commands on the server. A proof-of-concept exploit exists, though active exploitation has not been confirmed by CISA KEV at time of analysis.
Technical ContextAI
This vulnerability exploits CWE-78 (OS Command Injection) in the Model Context Protocol (MCP) Server component of automagik-genie. The readTranscriptFromCommit function in dist/mcp/server.js improperly sanitizes user input from the view_task (aliased as 'view') parameter before passing it to system command execution. When the application fetches transcript data from an external FORGE_BASE_URL controlled by an attacker, malicious command sequences embedded in the response can break out of the intended command context and execute arbitrary OS commands with the privileges of the MCP Server process. The vulnerability exists specifically in version 2.5.27, affecting the server-side transcript processing pipeline.
RemediationAI
Primary remediation requires upgrading automagik-genie beyond version 2.5.27 to a patched release, though the specific fixed version is not confirmed in available data as no vendor security bulletin was identified. Until a verified patch is released, implement these compensating controls: (1) Disable or restrict the readTranscriptFromCommit functionality if not business-critical, accepting loss of external transcript reading capability. (2) Implement strict allowlist validation for FORGE_BASE_URL to permit only trusted, organization-controlled endpoints, recognizing this reduces integration flexibility with third-party forges. (3) Deploy Web Application Firewall (WAF) rules to inspect and block command injection patterns in view_task parameters, though this may generate false positives requiring tuning. (4) Run the MCP Server process under least-privilege service accounts within restricted containers or sandboxes to limit command execution blast radius, with operational overhead of container management. Monitor the researcher disclosure at https://gist.github.com/spdc-elm/3ddecd10ffa85c5963ab7fe531619875 and the project's official repository for patch announcements.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29159
GHSA-64vr-4gr2-m642