CVE-2026-30624 - Vulnerability Details

- Remote Code Execution via Malicious MCP Server Configuration in Agent Zero 0.9.8

Description

Agent Zero 0.9.8 contains a remote code execution vulnerability in its External MCP Servers configuration feature. The application allows users to define MCP servers using a JSON configuration containing arbitrary command and args values. These values are executed by the application when the configuration is applied without sufficient validation or restriction. An attacker may supply a malicious MCP configuration to execute arbitrary operating system commands, potentially resulting in remote code execution with the privileges of the Agent Zero process.

Published: 2026-04-15

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in Agent Zero 0.9.8 allows an attacker to supply a malicious JSON configuration for MCP Servers that includes arbitrary command and argument values. The application executes these values without adequate validation or restriction, enabling the attacker to run arbitrary operating system commands with the privileges of the Agent Zero process. This is an example of OS command injection, classified as CWE-77. The impact is the compromise of confidentiality, integrity, and availability of the system where Agent Zero is running.

Affected Systems

The affected product is Agent Zero, version 0.9.8.

Risk and Exploitability

The CVE is assessed as a remote code execution risk. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The exploit requires an attacker to supply a malicious MCP configuration file or object that the application will apply; thus, the attack vector is inferred to involve any entity that can influence the configuration, potentially local or remote depending on the deployment. Successful exploitation would provide full control of the host system with the same privileges as the Agent Zero process.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Agent-zero

100%

Version	Status	Scheme	Platform
`0.9.8`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Disable or block the MCP Servers configuration feature until a patch is available.
If disabling is not feasible, implement strict input validation to allow only whitelisted commands and arguments and reject any that contain suspicious syntax.
Configure the Agent Zero process to run under the principle of least privilege, limiting the scope of damage if an attacker achieves execution.
Monitor logs for unexpected configuration changes and command executions to detect potential exploitation attempts.

Generated by OpenCVE AI on April 15, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00225.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/

History

Wed, 15 Apr 2026 22:45:00 +0000

Type	Values Removed	Values Added
Title		Remote Code Execution via Malicious MCP Server Configuration in Agent Zero 0.9.8

Wed, 15 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Agent-zero Agent-zero agent-zero
Vendors & Products		Agent-zero Agent-zero agent-zero

Wed, 15 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-77
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 15 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Agent Zero 0.9.8 contains a remote code execution vulnerability in its External MCP Servers configuration feature. The application allows users to define MCP servers using a JSON configuration containing arbitrary command and args values. These values are executed by the application when the configuration is applied without sufficient validation or restriction. An attacker may supply a malicious MCP configuration to execute arbitrary operating system commands, potentially resulting in remote code execution with the privileges of the Agent Zero process.
References		https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem/

Subscriptions

Agent-zero Agent-zero

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-15T00:00:00.000Z

Updated: 2026-04-15T18:02:40.808Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30624

Vulnrichment

Updated: 2026-04-15T18:02:35.117Z

NVD

Status : Awaiting Analysis

Published: 2026-04-15T16:16:36.677

Modified: 2026-04-17T15:09:46.880

Link: CVE-2026-30624

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T22:30:16Z

Weaknesses

CWE-77

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object