Description
sf-mcp-server is an implementation of Salesforce MCP server for Claude for Desktop. A command injection vulnerability exists in sf-mcp-server due to unsafe use of child_process.exec when constructing Salesforce CLI commands with user-controlled input. Successful exploitation allows attackers to execute arbitrary shell commands with the privileges of the MCP server process.
Published: 2026-02-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

sf-mcp-server contains a command injection flaw caused by unsafe use of child_process.exec when building Salesforce CLI commands with user supplied data. An attacker who can influence the input to the query_records tool can cause the server to execute arbitrary shell commands with whatever privileges the MCP server process holds, allowing complete compromise of confidentiality, integrity, and availability. The weakness is identified as CWE-78.

Affected Systems

The vulnerability affects the sf-mcp-server product from akutishevsky. No specific version information was provided, so all releases may be impacted until a patch is applied.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score of less than 1% suggests a low likelihood of exploitation at present, and the issue is not listed in the CISA KEV catalog. Based on the description, it is inferred that the vulnerability could be exploited by anyone able to supply input to the query_records tool—likely through local or component‑level access if the tool is exposed via API. Successful exploitation would grant an adversary the same privileges as the MCP server process.

Generated by OpenCVE AI on April 17, 2026 at 20:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the most recent patch or update to sf-mcp-server that fixes the command injection, as referenced in the GitHub advisory.
  • If the patch cannot be applied immediately, modify the code that constructs the Salesforce CLI command to perform strict input validation or use a safe API that does not invoke child_process.exec with raw user input.
  • Limit the permissions of the MCP server process to the minimal set required for normal operation, reducing the impact of any potential code execution.

Generated by OpenCVE AI on April 17, 2026 at 20:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Akutishevsky
Akutishevsky sf-mcp-server
Vendors & Products Akutishevsky
Akutishevsky sf-mcp-server

Wed, 11 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description sf-mcp-server is an implementation of Salesforce MCP server for Claude for Desktop. A command injection vulnerability exists in sf-mcp-server due to unsafe use of child_process.exec when constructing Salesforce CLI commands with user-controlled input. Successful exploitation allows attackers to execute arbitrary shell commands with the privileges of the MCP server process.
Title sf-mcp-server has a Command Injection in query_records tool due to unsafe use of child_process.exec
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Akutishevsky Sf-mcp-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-12T15:41:13.182Z

Reserved: 2026-02-09T21:36:29.555Z

Link: CVE-2026-26029

cve-icon Vulnrichment

Updated: 2026-02-12T15:41:01.785Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T22:15:52.373

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-26029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:27Z

Weaknesses