simple-openstack-mcp
CVE-2026-7066
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was found in choieastsea simple-openstack-mcp up to 767b2f4a8154cca344344b9725537a58399e6036. The affected element is the function exec_openstack of the file server.py. The manipulation results in os command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Remote OS command injection in simple-openstack-mcp allows unauthenticated attackers to execute arbitrary system commands via the exec_openstack function in server.py. The vulnerability affects all deployments up to commit 767b2f4a8154cca344344b9725537a58399e6036, with confirmed publicly available exploit code (GitHub issue #3). CVSS 7.3 severity reflects network attack vector with no authentication required, enabling direct system compromise. Project maintainer has not responded to vulnerability disclosure at time of analysis.
Technical ContextAI
The vulnerability resides in the exec_openstack function within server.py of simple-openstack-mcp, a utility for managing OpenStack deployments via Model Context Protocol (MCP). CWE-78 (OS Command Injection) indicates improper neutralization of special elements in system command execution, typically occurring when user-controlled input is passed unsafely to shell execution functions like subprocess.call, os.system, or similar Python APIs. The affected product (CPE: cpe:2.3:a:choieastsea:simple-openstack-mcp) follows a rolling release model without traditional versioning, complicating patch tracking and making commit hash (767b2f4a8154cca344344b9725537a58399e6036) the primary identifier for vulnerable deployments. Command injection vulnerabilities commonly arise from concatenating user input directly into shell commands without validation or escaping, allowing attackers to inject shell metacharacters (semicolons, pipes, backticks) to execute arbitrary commands.
RemediationAI
No vendor-released patch is available as the project maintainer has not responded to the disclosure (GitHub issue #3). Organizations must implement compensating controls immediately. Primary mitigation: Remove external network access to simple-openstack-mcp server endpoints by binding server.py only to localhost (127.0.0.1) or internal management networks, then enforce access via authenticated jump hosts or VPN - this eliminates remote unauthenticated attack vector but requires administrative overhead for legitimate access. Secondary mitigation: Deploy web application firewall (WAF) or reverse proxy with strict input validation to filter shell metacharacters (semicolons, pipes, backticks, dollar signs, ampersands) before requests reach server.py - however, this may break legitimate OpenStack command functionality if the application requires these characters. Tertiary option: Fork the repository, patch the exec_openstack function to use parameterized command execution (subprocess with shell=False and argument lists instead of string concatenation), and maintain private patched version - this requires ongoing security maintenance burden. Given unresponsive maintainer and small project scope, consider migrating to actively maintained OpenStack management alternatives with established security response processes.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today