Description
A vulnerability was determined in Nor2-io heim-mcp up to 0.1.3. Impacted is the function registerTools of the file src/tools.ts of the component new_heim_application/deploy_heim_application/deploy_heim_application_to_cloud. This manipulation causes os command injection. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Patch name: c321d8af25f77668781e6ccb43a1336f9185df37. It is suggested to install a patch to address this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Published: 2026-04-05
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection
Action: Patch
AI Analysis

Impact

The registerTools function in src/tools.ts for the new_heim_application component accepts untrusted input and executes it as an OS command, creating an OS command injection flaw that allows an attacker with local access to run arbitrary shell commands. This flaw can compromise the integrity and availability of the affected system, and potentially expose sensitive information if commands are used to read or modify data.

Affected Systems

Nor2-io heim‑mcp, versions up to 0.1.3, including the deploy_heim_application_to_cloud module. The patch identified by commit c321d8af25f77668781e6ccb43a1336f9185df37 resolves the issue. No other vendors or products are listed.

Risk and Exploitability

The CVSS score of 4.8 reflects a medium severity, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires local access and is publicly disclosed. With the public exploit available, a local attacker can leverage the flaw until remediation. The lack of EPSS data makes precise predictability unclear, but the existence of a public exploit elevates the urgency to apply the available patch.

Generated by OpenCVE AI on April 6, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch commit c321d8af25f77668781e6ccb43a1336f9185df37 to update heim-mcp to a version newer than 0.1.3.
  • Verify that the updated version is running and that the registerTools functionality no longer accepts unsanitized input.
  • Run the application with the least privileges necessary to limit potential damage.
  • Monitor system logs for unexpected command executions and alert on anomalous activities.

Generated by OpenCVE AI on April 6, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wx4p-jr66-jfp9 @nor2/heim-mcp vulnerable to command injection
History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Nor2-io
Nor2-io heim-mcp
Vendors & Products Nor2-io
Nor2-io heim-mcp

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 05 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Nor2-io heim-mcp up to 0.1.3. Impacted is the function registerTools of the file src/tools.ts of the component new_heim_application/deploy_heim_application/deploy_heim_application_to_cloud. This manipulation causes os command injection. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Patch name: c321d8af25f77668781e6ccb43a1336f9185df37. It is suggested to install a patch to address this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Title Nor2-io heim-mcp new_heim_application tools.ts registerTools os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nor2-io Heim-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T15:05:58.388Z

Reserved: 2026-04-05T13:30:33.910Z

Link: CVE-2026-5602

cve-icon Vulnrichment

Updated: 2026-04-06T15:05:53.557Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-05T23:16:19.497

Modified: 2026-04-07T13:20:35.010

Link: CVE-2026-5602

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:48:06Z

Weaknesses