CVE-2026-7039: tufantunc ssh-mcp Local Command Injection Exposed
The National Vulnerability Database has disclosed CVE-2026-7039, a high-severity (CVSS 7.8) command injection vulnerability impacting tufantunc ssh-mcp up to version 1.5.0. This flaw resides within the shell.write function of the src/index.ts file, where improper handling of the ‘Description’ argument allows for arbitrary command execution.
Crucially, this vulnerability requires local access to exploit. While this limits its immediate widespread impact compared to remote exploits, it’s a significant concern for environments where ssh-mcp is used in shared or multi-user systems. An attacker with even low-privileged local access could escalate privileges or pivot within the network. The exploit has been publicly disclosed, increasing the urgency for mitigation.
According to the National Vulnerability Database, the project maintainers were informed of the issue but have not yet responded. This lack of response leaves users exposed, highlighting the critical need for proactive security hygiene. Defenders must assess their exposure and consider immediate compensating controls or discontinuation of the affected software if no patch is forthcoming.
What This Means For You
- If your organization uses tufantunc ssh-mcp, you need to immediately identify all instances running versions up to 1.5.0. Given the public disclosure of the exploit and the lack of a vendor response, this is a ticking time bomb for local privilege escalation. Consider isolating systems running this software or implementing strict access controls to prevent local users from exploiting CVE-2026-7039.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7039: tufantunc ssh-mcp Local Command Injection
title: CVE-2026-7039: tufantunc ssh-mcp Local Command Injection
id: scw-2026-04-26-ai-1
status: experimental
level: critical
description: |
Detects the execution of ssh-mcp with a Description argument, indicating a potential local command injection attempt via CVE-2026-7039. This rule targets the specific vulnerability in the shell.write function of src/index.ts where manipulation of the 'Description' argument leads to command injection.
author: SCW Feed Engine (AI-generated)
date: 2026-04-26
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7039/
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
detection:
selection:
Image|contains:
- '/usr/bin/ssh'
CommandLine|contains:
- 'ssh-mcp'
CommandLine|contains:
- 'Description='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7039 | Command Injection | tufantunc ssh-mcp up to version 1.5.0 |
| CVE-2026-7039 | Command Injection | src/index.ts::shell.write function |
| CVE-2026-7039 | Command Injection | Manipulation of argument 'Description' |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 26, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7037: Totolink A8000RU Critical OS Command Injection
CVE-2026-7037 — A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setVpnPassCfg of the file /cgi-bin/cstecgi.cgi of the component...
Tenda i9 Path Traversal (CVE-2026-7036) Exposes Networks to Remote Exploitation
CVE-2026-7036 — A vulnerability was identified in Tenda i9 1.0.0.5(2204). This vulnerability affects the function R7WebsSecurityHandlerfunction of the component HTTP Handler. The manipulation leads to...
Tenda FH1202 Router Vulnerability (CVE-2026-7035) Exposes Networks
CVE-2026-7035 — A vulnerability was determined in Tenda FH1202 1.2.0.14. This affects the function fromWrlclientSet of the file /goform/WrlclientSet of the component httpd. Executing a...