ssh-mcp CVE-2026-7038

EUVD-2026-25715 LOW

Insufficiently Protected Credentials (CWE-522)

2026-04-26 [email protected]

1.9

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 26, 2026 - 12:30 vuln.today

DescriptionNVD

A weakness has been identified in tufantunc ssh-mcp up to 1.5.0. Impacted is an unknown function of the file src/index.ts of the component Command Line Handler. This manipulation causes insufficiently protected credentials. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Insufficient credential protection in tufantunc ssh-mcp up to version 1.5.0 allows local authenticated users to disclose sensitive credentials through the Command Line Handler component. The vulnerability affects src/index.ts and has a publicly available exploit, though the low CVSS score of 1.9 reflects limited scope (confidentiality impact only, no integrity or availability effects) and requirement for local authenticated access.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7038 vulnerability details – vuln.today

Back