Vulnerability Details CVE-2026-6942
radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2_cmd_str(). Attackers can inject shell metacharacters through the jsonrpc interface parameters to achieve remote code execution on the host running radare2-mcp without requiring authentication.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 43.2%
CVSS Severity
CVSS v3 Score 9.8
References
Products affected by CVE-2026-6942
-
cpe:2.3:a:radare:radare2_mcp_server:1.0.0
-
cpe:2.3:a:radare:radare2_mcp_server:1.1.0
-
cpe:2.3:a:radare:radare2_mcp_server:1.2.0
-
cpe:2.3:a:radare:radare2_mcp_server:1.3.0
-
cpe:2.3:a:radare:radare2_mcp_server:1.4.0
-
cpe:2.3:a:radare:radare2_mcp_server:1.4.2
-
cpe:2.3:a:radare:radare2_mcp_server:1.5.0
-
cpe:2.3:a:radare:radare2_mcp_server:1.5.2
-
cpe:2.3:a:radare:radare2_mcp_server:1.5.4
-
cpe:2.3:a:radare:radare2_mcp_server:1.5.6
-
cpe:2.3:a:radare:radare2_mcp_server:1.6.0