Vulnerabilities ›

CVE-2026-7039

High

CWE-74 — Weakness Type

                    Published: Apr 26, 2026                      ·  Modified: May 3, 2026                      ·  Source: NVD                

CVSS v3

7.8

🔗 NVD Official

📄 Description (English)

A security vulnerability has been detected in tufantunc ssh-mcp up to 1.5.0. The affected element is the function shell.write of the file src/index.ts. Such manipulation of the argument Description leads to command injection. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

🤖 AI Executive Summary

CVE-2026-7039 is a local command injection vulnerability in tufantunc ssh-mcp versions up to 1.5.0 affecting the shell.write function. With a CVSS score of 7.8, this vulnerability allows local attackers to execute arbitrary commands through manipulation of the Description argument. The exploit has been publicly disclosed, and no patch is currently available, requiring immediate mitigation strategies.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 29, 2026 17:51

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi organizations using tufantunc ssh-mcp for SSH management and automation, particularly in: Government agencies (NCA, CITC) managing critical infrastructure; Banking sector (SAMA-regulated institutions) using SSH for secure administrative access; Telecommunications providers (STC, Mobily) managing network infrastructure; Energy sector (ARAMCO, SEC) for remote system administration. The local attack vector limits exposure but poses significant risk for insider threats and compromised system scenarios.

🏢 Affected Saudi Sectors

Government Banking Telecommunications Energy Healthcare Critical Infrastructure

🎯 MITRE ATT&CK Techniques

T1059 - Command and Scripting Interpreter T1059.004 - Unix Shell T1548 - Abuse Elevation Control Mechanism T1548.004 - Elevated Execution with Prompt T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Inventory all systems running tufantunc ssh-mcp versions up to 1.5.0

2. Restrict local access to affected systems through access control lists and privilege management

3. Disable or isolate ssh-mcp functionality if not critical to operations

4. Monitor for suspicious shell.write function calls and Description parameter manipulation



Compensating Controls:

1. Implement input validation and sanitization for Description parameters at application level

2. Deploy application-level command injection detection using WAF/RASP solutions

3. Enforce principle of least privilege for service accounts running ssh-mcp

4. Enable comprehensive audit logging for all shell.write operations

5. Implement file integrity monitoring on src/index.ts and related files



Detection Rules:

1. Monitor for unusual shell command execution patterns from ssh-mcp processes

2. Alert on Description parameter values containing shell metacharacters (;|&$`)

3. Track privilege escalation attempts following ssh-mcp activity

4. Log all modifications to ssh-mcp configuration and source files

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حصر جميع الأنظمة التي تقوم بتشغيل إصدارات tufantunc ssh-mcp حتى 1.5.0

2. تقييد الوصول المحلي للأنظمة المتأثرة من خلال قوائم التحكم في الوصول وإدارة الامتيازات

3. تعطيل أو عزل وظيفة ssh-mcp إذا لم تكن حرجة للعمليات

4. مراقبة استدعاءات دالة shell.write المريبة والتلاعب بمعامل الوصف

الضوابط التعويضية:

1. تنفيذ التحقق من صحة المدخلات والتطهير لمعاملات الوصف على مستوى التطبيق

2. نشر كشف حقن الأوامر على مستوى التطبيق باستخدام حلول WAF/RASP

3. فرض مبدأ أقل امتياز لحسابات الخدمة التي تقوم بتشغيل ssh-mcp

4. تفعيل تسجيل التدقيق الشامل لجميع عمليات shell.write

5. تنفيذ مراقبة سلامة الملفات على src/index.ts والملفات ذات الصلة

قواعد الكشف:

1. مراقبة أنماط تنفيذ أوامر shell غير العادية من عمليات ssh-mcp

2. التنبيه على قيم معامل الوصف التي تحتوي على أحرف shell الخاصة (;|&$`)

3. تتبع محاولات تصعيد الامتيازات بعد نشاط ssh-mcp

4. تسجيل جميع التعديلات على تكوين ssh-mcp وملفات المصدر

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policies ECC 2024 A.8.2.1 - User Endpoint Devices ECC 2024 A.8.3.1 - Information Backup ECC 2024 A.12.4.1 - Event Logging ECC 2024 A.12.6.1 - Management of Technical Vulnerabilities

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Software Inventory SAMA CSF PR.AC-1 - Access Control SAMA CSF PR.PT-1 - Security Awareness and Training SAMA CSF DE.CM-1 - System Monitoring SAMA CSF RS.MI-2 - Incident Response Procedures

🟡 ISO 27001:2022

ISO 27001:2022 A.5.15 - Access Control ISO 27001:2022 A.8.22 - Monitoring ISO 27001:2022 A.8.23 - Web Application Firewall ISO 27001:2022 A.12.6.1 - Management of Technical Vulnerabilities ISO 27001:2022 A.14.2.1 - Secure Development Policy

🔗 References & Sources 5

🔗

https://github.com/tufantunc/ssh-mcp/

cna@vuldb.com

🔗

https://github.com/tufantunc/ssh-mcp/issues/44

cna@vuldb.com

🔗

https://vuldb.com/submit/798528

cna@vuldb.com

🔗

https://vuldb.com/vuln/359619

cna@vuldb.com

🔗

https://vuldb.com/vuln/359619/cti

cna@vuldb.com

📊 CVSS Score

7.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score7.8

CWECWE-74

EPSS0.06%

Exploit No

Patch ✗ No

Published 2026-04-26

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-74

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-7039

💬 Comments

Introduce Yourself

Sign In Required