What happened
A GitHub security advisory (CVSS 7.8) disclosed that ForgeCode, an AI coding-agent CLI, blindly trusts and auto-executes MCP server commands defined in a repository-supplied .mcp.json file, giving a malicious repo author code execution on any developer who opens the repository in ForgeCode.
Why it matters
This is part of a recurring class of AI coding-agent vulnerabilities (also seen in Cursor and other tools) where repository-supplied configuration is treated as trusted code; it turns "clone and open a project" into a one-click RCE vector against developers using AI coding agents, a rapidly growing population.
Attack vector
ForgeCode automatically loads and executes MCP servers defined in a repository's .mcp.json file on startup, with no user confirmation. A malicious repository can ship a crafted .mcp.json whose mcpServers entries specify an arbitrary command and arguments, which ForgeCode will execute the moment a developer opens the repo in the tool.
Affected systems
ForgeCode (tailcallhq/forgecode) — all versions that auto-load repository .mcp.json without confirmation
Mitigation
No confirmed patch version cited in the advisory at time of disclosure; workaround is to review .mcp.json in any untrusted repository before opening it in ForgeCode, and to disable auto-load of repo-local MCP configs if supported.