CVE-2026-5833 - Vulnerability Details

- awwaiid mcp-server-taskwarrior index.ts server.setRequestHandler command injection

Description

A security vulnerability has been detected in awwaiid mcp-server-taskwarrior up to 1.0.1. This impacts the function server.setRequestHandler of the file index.ts. Such manipulation of the argument Identifier leads to command injection. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The name of the patch is 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2. Applying a patch is advised to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Published: 2026-04-09

Score: 4.8 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The flaw resides in the server.setRequestHandler function in index.ts, where the Identifier argument is accepted without proper validation. A crafted value can inject shell commands that the server executes, allowing a local attacker to run arbitrary code on the host with the privileges of the mcp‑server‑taskwarrior process. The weakness maps to CWE‑74 (Improper Neutralization of Input During Web Page Generation) and CWE‑77 (Improper Access Control).

Affected Systems

The vulnerability affects the awwaiid mcp‑server‑taskwarrior package in all releases up to 1.0.1. Users running those versions on their local infrastructure are susceptible; any machine where the service is deployed locally can be impacted.

Risk and Exploitability

The CVSS base score of 4.8 indicates a moderate severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, suggesting limited known exploitation. However, the public disclosure and the confirmed command‑injection capability mean that a local attacker, such as an insider or a compromised local process, could leverage this flaw. The exploitation requires local access to generate a crafted request to the server, reducing the risk of widespread remote attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

awwaiid

mcp-server-taskwarrior

affected

Version	Status	Constraints
`1.0.0`	affected	—
`1.0.1`	affected	—

No data.

Vendor Product Confidence Versions

Awwaiid

Mcp-server-taskwarrior

100%

Version	Status	Scheme	Platform
`1.0.0`	affected	semver	—
`1.0.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade mcp‑server‑taskwarrior to the fixed version that includes commit 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2

Generated by OpenCVE AI on April 9, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/awwaiid/mcp-server-taskwarrior/
https://github.com/awwaiid/mcp-server-taskwarrior/commit/1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2
https://github.com/awwaiid/mcp-server-taskwarrior/issues/8
https://github.com/awwaiid/mcp-server-taskwarrior/issues/8#issuecomment-4139402095
https://github.com/user-attachments/files/25923228/mcp-server-taskwarrior_bug.pdf
https://vuldb.com/submit/789810
https://vuldb.com/vuln/356289
https://vuldb.com/vuln/356289/cti

History

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Awwaiid Awwaiid mcp-server-taskwarrior
Vendors & Products		Awwaiid Awwaiid mcp-server-taskwarrior

Thu, 09 Apr 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in awwaiid mcp-server-taskwarrior up to 1.0.1. This impacts the function server.setRequestHandler of the file index.ts. Such manipulation of the argument Identifier leads to command injection. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The name of the patch is 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2. Applying a patch is advised to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Title		awwaiid mcp-server-taskwarrior index.ts server.setRequestHandler command injection
Weaknesses		CWE-74 CWE-77
References		https://github.com/awwaiid/mcp-server-taskwarrior/ https://github.com/awwaiid/mcp-server-taskwarrior/commit/1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2 https://github.com/awwaiid/mcp-server-taskwarrior/issues/8 https://github.com/awwaiid/mcp-server-taskwarrior/issues/8#issuecomment-4139402095 https://github.com/user-attachments/files/25923228/mcp-server-taskwarrior_bug.pdf https://vuldb.com/submit/789810 https://vuldb.com/vuln/356289 https://vuldb.com/vuln/356289/cti
Metrics		cvssV2_0 `{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Awwaiid Mcp-server-taskwarrior

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-09T02:15:14.582Z

Updated: 2026-04-09T02:15:14.582Z

Reserved: 2026-04-08T17:15:28.223Z

Link: CVE-2026-5833

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-09T04:17:16.900

Modified: 2026-04-09T04:17:16.900

Link: CVE-2026-5833

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-09T08:25:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object