Cyber Posture

CVE-2026-30303

Critical

Published: 27 March 2026

Published
27 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0037 58.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The command auto-approval module in Axon Code contains an OS Command Injection vulnerability, rendering its whitelist security mechanism ineffective. The vulnerability stems from the incorrect use of an incompatible command parser (the Unix-based shell-quote library) to analyze commands on the…

more

Windows platform, coupled with a failure to correctly handle Windows CMD-specific escape sequences (^). Attackers can exploit this discrepancy between the parsing logic and the execution environment by constructing payloads such as git log ^" & malicious_command ^". The Axon Code parser is deceived by the escape characters, misinterpreting the malicious command connector (&) as being within a protected string argument and thus auto-approving the command. However, the underlying Windows CMD interpreter ignores the escaped quotes, parsing and executing the subsequent malicious command directly. This allows attackers to achieve arbitrary Remote Code Execution (RCE) after bypassing what appears to be a legitimate Git whitelist check.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Mandates input validation at command entry points to reject payloads exploiting incompatible parsers and Windows CMD escape sequences like caret (^).

SI-2 Flaw Remediation good match
preventrecover

Requires timely remediation of flaws such as the misuse of Unix shell-quote library on Windows, preventing exploitation through patches and verification.

SI-9 Information Input Restrictions partial match
prevent

Enforces restrictions on command inputs to authorized whitelisted types, strengthening the auto-approval mechanism against bypass attempts.

Security SummaryAI

CVE-2026-30303 is an OS Command Injection vulnerability (CWE-78) in the command auto-approval module of Axon Code, published on 2026-03-27. The flaw makes the module's whitelist security mechanism ineffective due to the use of an incompatible Unix-based shell-quote library for command parsing on Windows platforms. This library fails to properly handle Windows CMD-specific escape sequences, such as the caret (^), allowing crafted inputs to bypass validation while being executed differently by the underlying interpreter.

Remote attackers without authentication can exploit this vulnerability by constructing payloads like "git log ^\" & malicious_command ^\"". The Axon Code parser misinterprets the escaped quotes and command connector (&) as part of a protected string argument, auto-approving the input as a legitimate Git command on the whitelist. However, the Windows CMD interpreter disregards the escapes, directly parsing and executing the malicious command. This achieves arbitrary remote code execution (RCE), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Advisories and further details are available in the referenced sources: https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/6 and https://www.matterai.so/.

Details

CWE(s)
CWE-78

Affected Products

matterai
axon code
≤ 4.123.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.003 Windows Command Shell Execution
Adversaries may abuse the Windows command shell for execution.
attack.mitre.org →
Why these techniques?

CVE enables remote exploitation of a public-facing application (T1190) via OS command injection into Windows CMD (T1059.003), bypassing whitelist for arbitrary RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References