📄 Description (English)
A vulnerability was detected in VetCoders mcp-server-semgrep 1.0.0. This affects the function analyze_results/filter_results/export_results/compare_results/scan_directory/create_rule of the file src/index.ts of the component MCP Interface. The manipulation of the argument ID results in os command injection. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.1 is able to mitigate this issue. The patch is identified as 141335da044e53c3f5b315e0386e01238405b771. It is advisable to upgrade the affected component.
🤖 AI Executive Summary
CVE-2026-7446 is a critical OS command injection vulnerability in VetCoders mcp-server-semgrep 1.0.0 affecting the MCP Interface component. The vulnerability allows remote attackers to execute arbitrary OS commands through manipulation of the ID argument in multiple functions (analyze_results, filter_results, export_results, compare_results, scan_directory, create_rule). With a CVSS score of 7.3 and public exploit availability, this poses an immediate threat to organizations using this component for code analysis and security scanning.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 5, 2026 03:18
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations in the technology and software development sectors, including: (1) Government IT departments and NCA-regulated entities using Semgrep for secure code analysis; (2) Banking and financial institutions (SAMA-regulated) employing automated security scanning in their development pipelines; (3) Telecommunications companies (STC, Mobily) using code analysis tools; (4) Healthcare organizations conducting security assessments; (5) Energy sector (ARAMCO-adjacent suppliers) utilizing DevSecOps tools. The remote execution capability makes this particularly dangerous for organizations with internet-facing development infrastructure or cloud-based CI/CD pipelines.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Telecommunications
Healthcare
Energy and Utilities
Software Development and IT Services
Cybersecurity and Defense
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of mcp-server-semgrep 1.0.0 in your environment (development servers, CI/CD pipelines, security scanning infrastructure)
2. Isolate affected systems from network access if possible, or implement strict network segmentation
3. Review access logs and audit trails for suspicious activity or command execution patterns
4. Disable the MCP Interface component if not critical to operations
PATCHING GUIDANCE:
1. Upgrade to mcp-server-semgrep version 1.0.1 or later immediately
2. Apply patch 141335da044e53c3f5b315e0386e01238405b771 if available from vendor
3. Test patches in non-production environment before deployment
4. Implement change management procedures for all affected systems
COMPENSATING CONTROLS (if patching delayed):
1. Implement input validation and sanitization for all ID parameters - whitelist alphanumeric characters only
2. Run mcp-server-semgrep with minimal privileges (non-root user account)
3. Use Web Application Firewall (WAF) rules to block requests containing shell metacharacters (|, &, ;, $, `, etc.)
4. Implement strict firewall rules limiting access to MCP Interface ports
5. Enable command execution logging and monitoring
DETECTION RULES:
1. Monitor for process execution from mcp-server-semgrep process with suspicious command patterns
2. Alert on any ID parameter containing: pipe (|), ampersand (&), semicolon (;), backtick (`), dollar sign ($), parentheses
3. Log all function calls to analyze_results, filter_results, export_results, compare_results, scan_directory, create_rule
4. Monitor for unexpected child processes spawned by Node.js/mcp-server-semgrep
5. Implement SIEM rules for command injection attack patterns in application logs
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ mcp-server-semgrep 1.0.0 في بيئتك (خوادم التطوير، خطوط أنابيب CI/CD، بنية الفحص الأمني)
2. عزل الأنظمة المتأثرة عن الوصول إلى الشبكة إن أمكن، أو تطبيق تقسيم شبكة صارم
3. مراجعة سجلات الوصول وسجلات التدقيق للنشاط المريب أو أنماط تنفيذ الأوامر
4. تعطيل مكون واجهة MCP إذا لم يكن حرجاً للعمليات
إرشادات التصحيح:
1. الترقية إلى إصدار mcp-server-semgrep 1.0.1 أو أحدث فوراً
2. تطبيق التصحيح 141335da044e53c3f5b315e0386e01238405b771 إذا كان متاحاً من المورد
3. اختبار التصحيحات في بيئة غير الإنتاج قبل النشر
4. تطبيق إجراءات إدارة التغيير لجميع الأنظمة المتأثرة
الضوابط التعويضية (إذا تأخر التصحيح):
1. تطبيق التحقق من صحة المدخلات والتطهير لجميع معاملات المعرف - قائمة بيضاء للأحرف الأبجدية الرقمية فقط
2. تشغيل mcp-server-semgrep بامتيازات دنيا (حساب مستخدم غير جذر)
3. استخدام قواعد جدار الحماية للتطبيقات (WAF) لحجب الطلبات التي تحتوي على أحرف shell الخاصة
4. تطبيق قواعد جدار الحماية الصارمة لتحديد الوصول إلى منافذ واجهة MCP
5. تفعيل تسجيل ومراقبة تنفيذ الأوامر
قواعد الكشف:
1. مراقبة تنفيذ العمليات من عملية mcp-server-semgrep بأنماط أوامر مريبة
2. التنبيه على أي معامل معرف يحتوي على: أنابيب (|)، علامة العطف (&)، فاصلة منقوطة (;)، علامة خلفية (`)
3. تسجيل جميع استدعاءات الدوال لـ analyze_results و filter_results و export_results و compare_results و scan_directory و create_rule
4. مراقبة العمليات الفرعية غير المتوقعة التي تم إنشاؤها بواسطة Node.js/mcp-server-semgrep
5. تطبيق قواعد SIEM لأنماط هجمات حقن الأوامر في سجلات التطبيقات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Secure development policy and procedures
ECC 2024 A.14.2.5 - Secure development environment
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.2.1 - Monitoring and logging of access
🔵 SAMA CSF
SAMA CSF ID.GV-1 - Organizational governance and risk management
SAMA CSF PR.DS-6 - Data is protected from unauthorized access
SAMA CSF DE.CM-1 - The network is monitored for unauthorized connections
SAMA CSF RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
ISO 27001:2022 A.5.23 - Information security for supplier relationships
ISO 27001:2022 A.8.1 - User endpoint devices
ISO 27001:2022 A.8.3 - Access control
ISO 27001:2022 A.14.2 - Development security
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Ensure security patches are installed
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 11.3 - Penetration testing and vulnerability scanning
🔗 References & Sources 8
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/VetCoders/mcp-server-semgrep/
cna@vuldb.com
https://github.com/VetCoders/mcp-server-semgrep/commit/141335da044e53c3f5b315e0386e0123...
cna@vuldb.com
https://github.com/VetCoders/mcp-server-semgrep/issues/12
cna@vuldb.com
https://github.com/VetCoders/mcp-server-semgrep/pull/15
cna@vuldb.com
https://github.com/VetCoders/mcp-server-semgrep/releases/tag/v1.0.1
cna@vuldb.com
https://vuldb.com/submit/804100
cna@vuldb.com
https://vuldb.com/vuln/360187
cna@vuldb.com
https://vuldb.com/vuln/360187/cti
cna@vuldb.com