AgentDeskAI browser-tools-mcp CVE-2026-7064
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A flaw has been found in AgentDeskAI browser-tools-mcp up to 1.2.0. This issue affects some unknown processing of the file browser-tools-server/browser-connector.ts. Executing a manipulation can lead to os command injection. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Remote unauthenticated attackers can inject arbitrary operating system commands through the browser-connector.ts file in AgentDeskAI browser-tools-mcp versions up to 1.2.0, leading to command execution with application privileges. The vulnerability stems from improper input sanitization in file browser processing and has been published with publicly available exploit code; the vendor has been notified but has not yet released a patch.
Technical ContextAI
AgentDeskAI browser-tools-mcp is a Model Context Protocol (MCP) server component that provides browser automation and file manipulation capabilities. The vulnerability exists in browser-tools-server/browser-connector.ts, which processes file system operations without proper command injection protections. CWE-78 (Improper Neutralization of Special Elements used in an OS Command) indicates that user-supplied input is passed unsanitized to OS command execution functions, likely through shell metacharacter sequences (e.g., backticks, pipe operators, command substitution). The affected CPE cpe:2.3:a:agentdeskai:browser-tools-mcp indicates all instances of this package through version 1.2.0 and potentially later versions if unpatched.
RemediationAI
No vendor-released patch has been identified at the time of analysis; the project was informed early through issue report #232 but has not yet released a fix version. Immediate remediation steps: (1) Isolate any deployment of browser-tools-mcp from untrusted network access by placing it behind a network firewall or reverse proxy that performs strict input validation; (2) Disable or remove the file browser functionality if not actively used; (3) Monitor for exploitation attempts by logging all input to the affected browser-connector.ts endpoint and alerting on shell metacharacters (backticks, pipe, semicolon, dollar signs) in request payloads; (4) Fork the project and apply custom input sanitization to strip or escape shell metacharacters before any OS command execution; (5) Evaluate alternative MCP server implementations or contact AgentDeskAI for timeline on a patched release. If the component cannot be removed, implement a Web Application Firewall (WAF) rule to block requests containing command injection patterns, though this is a defense-in-depth measure and not a primary fix.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today