Skip to main content

Agentic-Flow EUVDEUVD-2026-45256

| CVE-2026-58195 HIGH
OS Command Injection (CWE-78)
2026-07-17 GitHub_M
8.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Untrusted content must reach the tool (UI:R) but no auth is required on the exposed sinks (PR:N); trivial injection (AC:L) yields full OS control (C/I/A:H) as the server user.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
Jul 17, 2026 - 20:03 EUVD
Source Code Evidence Fetched
Jul 17, 2026 - 19:17 vuln.today
Analysis Generated
Jul 17, 2026 - 19:17 vuln.today
CVE Published
Jul 17, 2026 - 18:47 cve.org
HIGH 8.8

DescriptionCVE.org

Agentic-Flow is an AI agent orchestration platform. Prior to 2.0.14, agentic-flow MCP server tools in src/mcp/standalone-stdio.ts, src/mcp/fastmcp/servers/claude-flow-sdk.ts, src/mcp/fastmcp/servers/stdio-full.ts, src/mcp/fastmcp/servers/http-streaming-updated.ts, src/mcp/fastmcp/servers/http-sse.ts, src/mcp/fastmcp/servers/poc-stdio.ts, src/mcp/fastmcp/tools/agent/{execute,list,parallel}.ts, src/mcp/fastmcp/tools/swarm/orchestrate.ts, and src/mcp/fastmcp/tools/hooks/pretrain.ts interpolated attacker-influenceable tool parameters such as agent, task, name, language, and agentdb directly into shell command strings passed to execSync(), allowing arbitrary OS command execution with the privileges of the MCP server user. This issue is fixed in version 2.0.14.

AnalysisAI

OS command injection in Agentic-Flow (npm package ruvnet/agentic-flow) before 2.0.14 lets attacker-controlled MCP tool parameters - agent, task, name, language, and agentdb - break out of double-quoted shell arguments and run arbitrary OS commands as the MCP server user. The AI-orchestration platform's MCP server tools interpolated these values straight into strings passed to execSync(), so any untrusted content (web pages, files, third-party tool output) that the agent processes can reach the sink, and the HTTP/SSE transports expose the same sinks over the network without authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Plant malicious value in untrusted content
Delivery
Agent invokes affected MCP tool with tainted parameter
Exploit
Metacharacters escape quoted execSync argument
Execution
Shell executes injected commands
Impact
Arbitrary OS command execution as MCP server user

Vulnerability AssessmentAI

Exploitation Exploitation requires that one of the vulnerable MCP tools (in standalone-stdio.ts, the fastmcp servers, or the agent/swarm/hooks tool modules) be invoked with an attacker-influenced value for a parameter that reaches the execSync sink - specifically agent, task, name, language, or agentdb - carrying shell metacharacters that escape the surrounding double quotes. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The reported CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, 8.8) reflects network-reachable, low-complexity exploitation yielding full confidentiality, integrity, and availability impact, with user interaction (UI:R) capturing that the agent must process attacker-influenced data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker plants a malicious instruction inside content the agent will read - a web page, file, or third-party tool response - containing a crafted task value such as `x"; touch /tmp/INJECTED; id > /tmp/rce.txt; echo "`. When the agent invokes an affected MCP tool with that value, interpolation into the execSync string breaks out of the quotes and the injected commands run with the MCP server user's privileges (POC published in the GHSA advisory). …
Remediation Vendor-released patch: upgrade agentic-flow to 2.0.14 or later (npm install agentic-flow@^2.0.14), which replaces execSync template-string interpolation with execFileSync argv arrays and shell:false; downstream ruflo users should move to 3.12.4, which requires agentic-flow >=2.0.14. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Immediately conduct a 24-hour inventory of all systems running Agentic-Flow versions before 2.0.14, document network exposure, and implement network segmentation to restrict MCP server HTTP/SSE interface access to trusted networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45256 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy