Description
A vulnerability was found in ChrisChinchilla Vale-MCP up to 0.1.0. Affected by this vulnerability is an unknown functionality of the file src/index.ts of the component HTTP Interface. The manipulation of the argument config_path results in os command injection. Attacking locally is a requirement. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-06
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: OS Command Injection
Action: Limit Access
AI Analysis

Impact

An OS command injection flaw exists in ChrisChinchilla Vale‑MCP’s HTTP interface, where manipulating the config_path argument in src/index.ts allows an attacker to execute arbitrary operating‑system commands with the privileges of the running application. This can compromise system integrity and availability by enabling the execution of any command the process user is permitted to run.

Affected Systems

The vulnerability affects versions of ChrisChinchilla Vale‑MCP up to 0.1.0. Only this specific component’s HTTP interface exposes the vulnerable config_path argument; no other versions or vendors are known to be impacted.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity, and the requirement for local access limits the threat to environments where an attacker can reach the target application locally or where the component accepts input from untrusted users. No exploit probability score is available and the vulnerability is not listed in CISA’s KEV catalog. Because the vendor has not released a remediation, the risk persists until a patch is provided or the exposure is mitigated.

Generated by OpenCVE AI on April 6, 2026 at 07:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict local access to the Vale‑MCP HTTP interface so only trusted users can invoke it
  • Remove or disable the config_path parameter from the API to eliminate the injection surface
  • Apply input validation or sanitization to the config_path argument if it must remain available
  • Monitor system logs for abnormal command executions triggered by HTTP requests
  • Check the vendor’s website or repository for any new releases that address the issue

Generated by OpenCVE AI on April 6, 2026 at 07:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Chrischinchilla
Chrischinchilla vale-mcp
Vendors & Products Chrischinchilla
Chrischinchilla vale-mcp

Mon, 06 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 06 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in ChrisChinchilla Vale-MCP up to 0.1.0. Affected by this vulnerability is an unknown functionality of the file src/index.ts of the component HTTP Interface. The manipulation of the argument config_path results in os command injection. Attacking locally is a requirement. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title ChrisChinchilla Vale-MCP HTTP index.ts os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Chrischinchilla Vale-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-06T14:27:21.954Z

Reserved: 2026-04-05T16:00:51.488Z

Link: CVE-2026-5621

cve-icon Vulnrichment

Updated: 2026-04-06T14:27:18.121Z

cve-icon NVD

Status : Deferred

Published: 2026-04-06T05:16:02.450

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5621

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:47:26Z

Weaknesses