Which versions of simple-openstack-mcp are affected by CVE-2026-7066?

simple-openstack-mcp contains a critical remote command injection vulnerability allowing unauthenticated attackers to execute arbitrary system commands on affected servers.

Is there a public PoC exploit available for CVE-2026-7066?

Yes, a public proof-of-concept exploit is available for CVE-2026-7066. Prioritise patching immediately. EPSS: 1.0%.

simple-openstack-mcp CVE-2026-7066

Q: What is the CVSS score of CVE-2026-7066?

CVE-2026-7066 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 1.0%.

MEDIUM

OS Command Injection (CWE-78)

2026-04-26 VulDB

Command Injection

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:12 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Severity Changed

Apr 27, 2026 - 00:22 NVD

HIGH MEDIUM

CVSS changed

Apr 27, 2026 - 00:22 NVD

7.3 (HIGH) 6.9 (MEDIUM)

Analysis Generated

Apr 27, 2026 - 00:00 vuln.today

Analysis Generated

Apr 26, 2026 - 23:30 vuln.today

CVE Published

Apr 26, 2026 - 23:15 nvd

MEDIUM 5.5

DescriptionNVD

A vulnerability was found in choieastsea simple-openstack-mcp up to 767b2f4a8154cca344344b9725537a58399e6036. The affected element is the function exec_openstack of the file server.py. The manipulation results in os command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Remote OS command injection in simple-openstack-mcp allows unauthenticated attackers to execute arbitrary system commands via the exec_openstack function in server.py. The vulnerability affects all deployments up to commit 767b2f4a8154cca344344b9725537a58399e6036, with confirmed publicly available exploit code (GitHub issue #3). …

RemediationAI

Within 24 hours: Inventory all deployments of simple-openstack-mcp and isolate affected systems from production networks or disable external access. Within 7 days: Evaluate alternative OpenStack integration solutions and develop migration plan; contact project maintainers directly to confirm patch timeline. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-7066 vulnerability details – vuln.today

Back

simple-openstack-mcp CVE-2026-7066

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

simple-openstack-mcp CVE-2026-7066

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code