Description
A weakness has been identified in suvarchal docker-mcp-server up to 0.1.0. The impacted element is the function stop_container/remove_container/pull_image of the file src/index.ts of the component HTTP Interface. This manipulation causes os command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-07
Score: 6.9 Medium
EPSS: 2.2% Low
KEV: No
Impact: Remote Operating System Command Execution
Action: Patch ASAP
AI Analysis

Impact

A flaw in suvarchal's docker-mcp-server allows an attacker to inject arbitrary operating system commands through the stop_container, remove_container, or pull_image functions exposed by the HTTP interface. The injection occurs via the src/index.ts file, enabling the attacker to execute commands with the privileges of the server process. This can lead to full compromise of the system, data theft, or further lateral movement.

Affected Systems

Products affected include suvarchal's docker-mcp-server up to version 0.1.0. Any deployment of this version, regardless of environment, is vulnerable. The issue resides in the HTTP-facing components, so any machine exposing that interface is at risk.

Risk and Exploitability

The CVSS score of 6.9 denotes moderate severity, but the presence of a publicly available exploit and lack of a vendor response increase the risk. The threat vector is remote, achievable via the exposed HTTP API, and no special local privileges are required. Although EPSS is not listed, the exact exploit is already available, making the vulnerability likely to be targeted. The vulnerability is not currently in the CISA KEV catalog, but its impact warrants immediate attention.

Generated by OpenCVE AI on April 7, 2026 at 22:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an upgrade to a version newer than 0.1.0 once released by suvarchal.
  • If updating is not possible, immediately restrict network access to the vulnerable HTTP endpoints or disable the stop_container, remove_container, and pull_image routes.
  • Deploy application or web‑application firewalls to filter out suspicious command‑execution patterns.
  • Monitor system and application logs for signs of unauthorized command usage and configure alerts for anomalous activity.
  • Contact the project maintainers to request a patch timeline and provide them with the discovered exploit details.

Generated by OpenCVE AI on April 7, 2026 at 22:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Suvarchal
Suvarchal docker-mcp-server
Vendors & Products Suvarchal
Suvarchal docker-mcp-server

Tue, 07 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in suvarchal docker-mcp-server up to 0.1.0. The impacted element is the function stop_container/remove_container/pull_image of the file src/index.ts of the component HTTP Interface. This manipulation causes os command injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title suvarchal docker-mcp-server HTTP index.ts pull_image os command injection
Weaknesses CWE-77
CWE-78
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Suvarchal Docker-mcp-server
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-07T20:34:17.286Z

Reserved: 2026-04-07T13:42:33.224Z

Link: CVE-2026-5741

cve-icon Vulnrichment

Updated: 2026-04-07T20:34:12.989Z

cve-icon NVD

Status : Deferred

Published: 2026-04-07T20:16:34.873

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-5741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:45:53Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')