Kerentanan  ·  2026-07-18

Agentic-Flow MCP Server OS Command Injection (CVE-2026-58195)

KerentananHigh dampakGlobalCVE-2026-58195
Agentic-Flow, platform AI agent orchestration, mengandung OS command injection vulnerability sebelum versi 2.0.14 di seluruh multiple MCP server implementations (standalone-stdio.ts, claude-flow-sdk.ts, stdio-full.ts, http-streaming-updated.ts, http-sse.ts). Dipublikasikan ke NVD 2026-07-17, CVSS 8.8 (High).
Agentic-Flow's MCP servers adalah tool-execution surfaces yang directly callable oleh AI agents; OS command injection di sana memberikan attacker yang dapat mencapai MCP interface (atau memanipulasi agent tool-call inputs via prompt injection) direct path ke arbitrary command execution pada host yang menjalankan agent orchestration platform.
Command injection via MCP server tool parameters di seluruh multiple standalone/stdio/HTTP-streaming/SSE MCP server implementations
Agentic-Flow (ruvnet/agentic-flow) sebelum 2.0.14
Upgrade ke agentic-flow 2.0.14 atau lebih baru; lihat GitHub commit 0c2ec967736a8b6b85832c6bae2a3e74989705ec
GitHub commit — agentic-flow fixNVD CVE-2026-58195
Lihat di umpan langsung Jelajahi temuan keamanan dan tata kelola AI terkait — diperbarui setiap pagi.
Buka umpan →