Skip to main content

Agentic Flow

1 CVEs product

Monthly

CVE-2026-58195 HIGH PATCH This Week

OS command injection in Agentic-Flow (npm package ruvnet/agentic-flow) before 2.0.14 lets attacker-controlled MCP tool parameters - agent, task, name, language, and agentdb - break out of double-quoted shell arguments and run arbitrary OS commands as the MCP server user. The AI-orchestration platform's MCP server tools interpolated these values straight into strings passed to execSync(), so any untrusted content (web pages, files, third-party tool output) that the agent processes can reach the sink, and the HTTP/SSE transports expose the same sinks over the network without authentication. A working proof of concept is published in the vendor's GHSA advisory; there is no evidence of active in-the-wild exploitation (not in CISA KEV).

Command Injection Agentic Flow
NVD GitHub
CVSS 3.1
8.8
CVSS 8.8
HIGH PATCH This Week

OS command injection in Agentic-Flow (npm package ruvnet/agentic-flow) before 2.0.14 lets attacker-controlled MCP tool parameters - agent, task, name, language, and agentdb - break out of double-quoted shell arguments and run arbitrary OS commands as the MCP server user. The AI-orchestration platform's MCP server tools interpolated these values straight into strings passed to execSync(), so any untrusted content (web pages, files, third-party tool output) that the agent processes can reach the sink, and the HTTP/SSE transports expose the same sinks over the network without authentication. A working proof of concept is published in the vendor's GHSA advisory; there is no evidence of active in-the-wild exploitation (not in CISA KEV).

Command Injection Agentic Flow
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy