Description
Godot MCP is a Model Context Protocol (MCP) server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input (e.g., projectPath) directly to exec(), which spawns a shell. An attacker could inject shell metacharacters like $(command) or &calc to execute arbitrary commands with the privileges of the MCP server process. This affects any tool that accepts projectPath, including create_scene, add_node, load_sprite, and others. This issue has been patched in version 0.1.1.
Published: 2026-02-04
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Command Injection
Action: Immediate Patch
AI Analysis

Impact

Garding the Godot MCP server, a function named executeOperation accepts a projectPath parameter and forwards its value directly to the operating system’s exec interface. This lack of sanitization permits an attacker to inject arbitrary shell metacharacters, such as $(command) or &calc, yielding execution of any command under the privileges of the MCP server process. The vulnerability aligns with CWE-78, representing an unsanitized use of external input to control executable code. The result is that any operator or tool that supplies a projectPath—such as create_scene or load_sprite—can become a conduit for arbitrary code execution, compromising the confidentiality, integrity, and availability of the target machine.

Affected Systems

The affected vendor is Coding‑Solo, producing the Godot MCP product. Versions before 0.1.1 of the Godot MCP server contain this flaw. The issue has been addressed and patched in the 0.1.1 release, so systems running that version or later are no longer vulnerable.

Risk and Exploitability

The CVSS score of 7.8 indicates a high-impact vulnerability, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not cataloged in CISA’s KEV list. Attackers would need to interact with the MCP API or a tool that passes projectPath data, indicating a remote or local exploit vector depending on the configuration of the MCP server. Because the flaw allows execution with the server’s privileges, the potential impact is severe if the server runs with elevated rights. The overall risk remains considerable due to the serious impact, though the likelihood of exploitation is presently low.

Generated by OpenCVE AI on April 18, 2026 at 13:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Godot MCP to version 0.1.1 or later to apply the vendor patch
  • Limit exposure of the MCP API by restricting network access or requiring authentication
  • Configure the MCP server to run with the lowest privilege level necessary, reducing potential damage if exploitation occurs

Generated by OpenCVE AI on April 18, 2026 at 13:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8jx2-rhfh-q928 godot-mcp has Command Injection via unsanitized projectPath
History

Wed, 18 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Coding-solo godot Mcp
CPEs cpe:2.3:a:coding-solo:godot_mcp:*:*:*:*:*:*:*:*
Vendors & Products Coding-solo godot Mcp

Thu, 05 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Coding-solo
Coding-solo godot-mcp
Vendors & Products Coding-solo
Coding-solo godot-mcp

Wed, 04 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description Godot MCP is a Model Context Protocol (MCP) server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input (e.g., projectPath) directly to exec(), which spawns a shell. An attacker could inject shell metacharacters like $(command) or &calc to execute arbitrary commands with the privileges of the MCP server process. This affects any tool that accepts projectPath, including create_scene, add_node, load_sprite, and others. This issue has been patched in version 0.1.1.
Title Godot MCP is vulnerable to Command Injection via unsanitized projectPath
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Coding-solo Godot-mcp Godot Mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T17:51:29.147Z

Reserved: 2026-02-02T19:59:47.375Z

Link: CVE-2026-25546

cve-icon Vulnrichment

Updated: 2026-02-05T17:51:25.844Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T22:16:00.667

Modified: 2026-03-18T14:25:39.043

Link: CVE-2026-25546

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses