CVE-2026-30625

CVE-2026-30625 is a remote code execution vulnerability affecting Upsonic version 0.71.6, specifically in its MCP server and task creation functionality. The flaw arises because the application permits users to define MCP tasks using arbitrary command and argument values, despite an existing allowlist. Certain whitelisted commands, such as npm and npx, can accept argument flags that enable the execution of arbitrary operating system commands, bypassing the intended restrictions.

Unauthenticated remote attackers can exploit this vulnerability by submitting maliciously crafted MCP tasks, leading to remote code execution with the privileges of the Upsonic process. The CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) reflects its critical severity, with network accessibility, low complexity, and no privileges required, resulting in high impacts on confidentiality, integrity, and availability. This is classified under CWE-77 (Command Injection).

The Upsonic GitHub commit at https://github.com/Upsonic/Upsonic/commit/855053fce0662227d9246268ff4a0844b481a305 documents the patch, while version 0.72.0 introduced a warning about Stdio servers' ability to execute commands directly on the host machine. Additional details on mitigation appear in the OX Security advisory at https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/.

This vulnerability is part of broader RCE issues in the AI ecosystem supply chain, as highlighted in the referenced advisory. No public information on real-world exploitation is available in the provided details.