Skip to main content

ssh-mcp CVE-2026-7039

| EUVDEUVD-2026-25716 HIGH
Command Injection (CWE-77)
2026-04-26 VulDB
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

10
Analysis Updated
Apr 29, 2026 - 01:30 vuln.today
v3 (cvss_changed)
CVSS changed
Apr 29, 2026 - 01:12 NVD
8.5 (HIGH) 7.1 (HIGH)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Analysis Updated
Apr 26, 2026 - 13:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 26, 2026 - 13:22 vuln.today
cvss_changed
CVSS changed
Apr 26, 2026 - 13:22 NVD
7.8 (HIGH) 8.5 (HIGH)
Analysis Generated
Apr 26, 2026 - 13:15 vuln.today
EUVD ID Assigned
Apr 26, 2026 - 13:00 euvd
EUVD-2026-25716
Analysis Generated
Apr 26, 2026 - 13:00 vuln.today
CVE Published
Apr 26, 2026 - 12:30 nvd
HIGH 7.1

DescriptionCVE.org

A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts. Such manipulation of the argument Description leads to command injection. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Command injection in ssh-mcp versions up to 1.5.0 allows authenticated local users to execute arbitrary OS commands via the Description parameter to the shell.write function in src/index.ts. Publicly available exploit code exists (GitHub issue #44) demonstrating the vulnerability. Despite CVSS 7.1 severity, real-world risk is moderate due to local-only attack vector and low EPSS score (0.06%, 18th percentile), indicating minimal observed exploitation attempts. Vendor has not responded to early disclosure via issue report.

Technical ContextAI

ssh-mcp is a Model Context Protocol (MCP) server implementation for SSH connections. The vulnerability resides in the shell.write function within src/index.ts, where user-supplied input through the Description argument is passed unsanitized to shell execution functions. This is a classic CWE-77 command injection flaw where special characters or shell metacharacters in the Description parameter can break out of the intended command context and execute arbitrary system commands. The affected code path involves the MCP server processing client-supplied parameters without proper input validation or sanitization before invoking shell operations. All versions from 1.0 through 1.5.0 are confirmed vulnerable per EUVD product enumeration (CPE: cpe:2.3:a:tufantunc:ssh-mcp:*:*:*:*:*:*:*:*).

RemediationAI

No vendor-released patch identified at time of analysis. The project maintainer has not responded to the vulnerability disclosure made via GitHub issue #44, suggesting potential project abandonment or lack of active maintenance. Organizations using ssh-mcp should immediately assess exposure and implement compensating controls. Primary mitigation: restrict ssh-mcp deployment to single-user or fully-trusted environments where all users have equivalent privilege levels, eliminating command injection impact since attackers already possess equivalent access. Secondary mitigation: implement operating system-level restrictions using mandatory access control (MAC) frameworks like SELinux or AppArmor to confine the ssh-mcp process to a restricted security context, preventing injected commands from accessing sensitive resources (trade-off: requires expertise to configure and may break legitimate functionality). Tertiary option: conduct code review of src/index.ts shell.write function and apply local patch to sanitize Description parameter using allowlists for permitted characters or migrate to parameterized command execution APIs (trade-off: requires ongoing maintenance for upstream updates and testing). Long-term recommendation: evaluate migration to actively-maintained alternatives for SSH-based MCP server implementations, given vendor non-responsiveness indicates potential end-of-life status for this project.

Share

CVE-2026-7039 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy