CVE-2026-7590: OS Command Injection in eyal-gor p_69_branch_monkey_mcp

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycommand-injectioncwe-77cwe-78
CVE-2026-7590: OS Command Injection in eyal-gor p_69_branch_monkey_mcp

The National Vulnerability Database has disclosed CVE-2026-7590, a high-severity OS command injection vulnerability (CVSS 7.3) affecting eyal-gor’s p_69_branch_monkey_mcp project, specifically up to commit 69bc71874ce40050ef45fde5a435855f18af3373. This critical flaw resides within an unknown function in the branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py file, tied to the Preview Endpoint component. Attackers can exploit this remotely by manipulating the dev_script argument.

What makes this particularly dangerous is the public availability of an exploit, as noted by the National Vulnerability Database. The project lacks versioning, making it impossible to identify specific affected or unaffected releases. Furthermore, the project maintainers were informed via an issue report but have not yet responded, leaving users exposed to a known, exploitable vulnerability.

This isn’t just theoretical. Remote OS command injection is a red teamer’s dream. It often leads directly to shell access, allowing for complete system compromise, data exfiltration, or further lateral movement within a network. The lack of response from the maintainers means any organization using this component is operating on borrowed time.

What This Means For You

  • If your organization utilizes `eyal-gor p_69_branch_monkey_mcp` in any capacity, immediately audit your deployments. Given the public exploit and remote attack vector, assume compromise is imminent if you're running vulnerable versions. Until a patch is available, consider isolating or disabling any systems running this component. Prioritize identifying if this dependency exists within your environment and assess the potential blast radius.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7590: OS Command Injection in eyal-gor p_69_branch_monkey_mcp Preview Endpoint

Sigma YAML — free preview 
title: CVE-2026-7590: OS Command Injection in eyal-gor p_69_branch_monkey_mcp Preview Endpoint
id: scw-2026-05-01-ai-1
status: experimental
level: critical
description: |
  This rule detects attempts to exploit CVE-2026-7590 by identifying requests to the 'advanced.py' endpoint with a 'dev_script' parameter containing common command injection characters like backticks, semicolons, pipes, or logical operators. This is the primary indicator of a remote OS command injection attempt via the Preview Endpoint.
author: SCW Feed Engine (AI-generated)
date: 2026-05-01
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7590/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/advanced.py'
      cs-uri-query|contains:
          - 'dev_script='
      cs-uri-query|contains:
          - '`'
      cs-uri-query|contains:
          - ';'
      cs-uri-query|contains:
          - '|'
      cs-uri-query|contains:
          - '&&'
      cs-uri-query|contains:
          - '||'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7590 Command Injection eyal-gor p_69_branch_monkey_mcp up to 69bc71874ce40050ef45fde5a435855f18af3373
CVE-2026-7590 Command Injection branch_monkey_mcp/bridge_and_local_actions/routes/advanced.py
CVE-2026-7590 Command Injection Preview Endpoint component
CVE-2026-7590 Command Injection Manipulation of argument dev_script

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 01, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Featured

Daily Security Digest — 2026-05-01

2 vulnerability disclosures (2 High) and 1 curated intelligence stories from 1 sources.

daily-digestvulnerabilityCVEhigh-severitycwe-20cwe-269command-injectioncwe-77cwe-78phishing
/SCW Daily Digest /HIGH

CVE-2026-7591 — TimBroddin Astro-Mcp-Server SQL Injection

CVE-2026-7591 — A security flaw has been discovered in TimBroddin astro-mcp-server up to 1.1.1. The impacted element is an unknown function of the file src/index.ts...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-7589 — Path Traversal

CVE-2026-7589 — A vulnerability was determined in ghantakiran splunk-mcp-integration up to 0b86b09d5e5adf0433acd43c975951224613a1a6. Impacted is the function create_csv_export of the file services/csv-export-service/app/api/v1/endpoints/csv_export.py of the component CSV...

vulnerabilityCVEmedium-severitypath-traversalcwe-22
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 2 IOCs /⚙ 3 Sigma