CVE-2026-5802 - Vulnerability Details

- idachev mcp-javadc HTTP os command injection

Description

A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument jarFilePath leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-04-08

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An HTTP interface in idachev mcp-javadc accepts a jarFilePath argument that is passed directly to the operating system’s command line, creating a classic OS command injection flaw identified by CWE-77. The vulnerability also falls under the broader Command Injection category (CWE-78), allowing an attacker to inject arbitrary shell commands. Successful exploitation grants the attacker the ability to execute any command on the host, potentially leading to full system compromise, data theft, or denial of service.

Affected Systems

The flaw exists in idachev mcp-javadc releases up to version 1.2.4. It is triggered through a web‑based HTTP endpoint that is exposed to network traffic, meaning any deployment of the affected application, regardless of underlying operating system, is susceptible.

Risk and Exploitability

With a CVSS score of 6.9 the vulnerability signals moderate severity, but the publicly available proof‑of‑concept means an attack can be launched remotely by sending crafted requests. The lack of an EPSS score and absence from the CISA KEV catalog do not reduce the risk; the operator still faces the possibility of local or remote compromise without requiring authenticated access or privileged rights. The architecture allows direct command execution, making the threat highly actionable for a motivated attacker.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

idachev

mcp-javadc

affected

Version	Status	Constraints
`1.2.0`	affected	—
`1.2.1`	affected	—
`1.2.2`	affected	—
`1.2.3`	affected	—
`1.2.4`	affected	—

No data.

Vendor Product Confidence Versions

Idachev

Mcp-javadc

100%

Version	Status	Scheme	Platform
`1.2.0`	affected	semver	—
`1.2.1`	affected	semver	—
`1.2.2`	affected	semver	—
`1.2.3`	affected	semver	—
`1.2.4`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the author’s repository or official vendor site for a patched release and upgrade to a fixed version as soon as one is available.
Limit exposure of the HTTP interface to trusted networks only, using firewall rules, IP whitelisting, or VPN tunnel requirements.
Instrument the service to log incoming jarFilePath values and investigate any suspicious characters or command separators such as “;”, “&&”, or “|”.
If code changes are possible, insert server‑side validation or sanitization to reject or escape any shell metacharacters before the jarFilePath value is utilized.

Generated by OpenCVE AI on April 8, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00837.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/BruceJqs/public_exp/issues/2
https://github.com/idachev/mcp-javadc/
https://github.com/idachev/mcp-javadc/issues/7
https://vuldb.com/submit/786974
https://vuldb.com/vuln/356241
https://vuldb.com/vuln/356241/cti

History

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Idachev Idachev mcp-javadc
Vendors & Products		Idachev Idachev mcp-javadc

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument jarFilePath leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Title		idachev mcp-javadc HTTP os command injection
Weaknesses		CWE-77 CWE-78
References		https://github.com/BruceJqs/public_exp/issues/2 https://github.com/idachev/mcp-javadc/ https://github.com/idachev/mcp-javadc/issues/7 https://vuldb.com/submit/786974 https://vuldb.com/vuln/356241 https://vuldb.com/vuln/356241/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Idachev Mcp-javadc

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-08T20:00:24.876Z

Updated: 2026-04-08T20:00:24.876Z

Reserved: 2026-04-08T14:29:32.763Z

Link: CVE-2026-5802

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-08T20:16:27.340

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-5802

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:27:30Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object