Executive Summary
A critical OS command injection vulnerability (CVE-2026-6942) has been disclosed in radare2-mcp, the Model Context Protocol server for the radare2 reverse engineering framework. The flaw carries a CVSS score of 9.8 and affects versions 1.6.0 and earlier. Remote attackers can bypass the tool's command filter by injecting shell metacharacters into user-controlled input passed to the r2_cmd_str() function, enabling arbitrary operating system command execution without authentication.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-6942 |
| CVSS Score | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Affected Software | radare2-mcp 1.6.0 and earlier |
| Vulnerability Type | OS Command Injection (CWE-78) |
| Published | April 23, 2026 |
Affected Products
| Product | Affected Versions |
|---|---|
| radare2-mcp | 1.6.0 and earlier |
Technical Analysis
Root Cause
The vulnerability resides in the command filter logic within radare2-mcp, which exposes radare2 reverse engineering capabilities via the Model Context Protocol (MCP). The server accepts user-controlled input and passes it to r2_cmd_str() — radare2's command execution interface — without properly sanitizing or escaping shell metacharacters.
The filter designed to prevent command injection can be bypassed using standard Unix shell metacharacters such as ;, |, &&, $(...), and backtick substitution. An attacker who can reach the MCP server endpoint can inject these characters alongside legitimate radare2 commands, causing the underlying shell to interpret the injected payload as a separate command sequence.
Attack Vector
radare2-mcp serves as an MCP server that allows AI agents and tooling to interact with radare2 for binary analysis. When this server is exposed on a network interface (its default binding behavior in balance_serve or equivalent modes), any reachable client can send crafted MCP requests containing malicious input.
1. Attacker identifies an exposed radare2-mcp endpoint
2. Attacker sends an MCP request with shell metacharacters in the command parameter
Example: legitimate_cmd; malicious_os_command
3. radare2-mcp passes the input to r2_cmd_str() without proper sanitization
4. The shell interprets the injected payload after the metacharacter boundary
5. Arbitrary OS commands execute under the privileges of the radare2-mcp process
Why CVSS 9.8
| Metric | Value | Reason |
|---|---|---|
| Network | AV:N | Exploitable over any network connection to the MCP server |
| No authentication | PR:N | No credentials required to send MCP requests |
| No user interaction | UI:N | Fully server-side exploitation |
| Full C/I/A impact | H/H/H | Arbitrary command execution yields complete host compromise |
Impact Assessment
radare2-mcp is increasingly deployed in AI-assisted reverse engineering workflows, where LLMs and AI agents interact with radare2 to analyze binaries. These environments often run with elevated privileges or in sensitive security research contexts.
| Impact Area | Description |
|---|---|
| Arbitrary Code Execution | Full OS command execution under the server's process privileges |
| Data Exfiltration | Access to files, environment variables, credentials, and secrets on the host |
| Lateral Movement | Use of compromised host as a pivot point within security research networks |
| Research Environment Compromise | Sensitive reverse engineering data and analyzed binaries at risk |
| AI Pipeline Poisoning | If integrated with AI tooling, compromised analysis results could poison downstream decisions |
Remediation
Step 1: Update radare2-mcp
Upgrade to a patched version of radare2-mcp that has addressed CVE-2026-6942. Check the project's GitHub releases or package registry for the latest patched release.
# If installed via pip
pip install --upgrade radare2-mcp
# If installed via npm
npm update radare2-mcp
# Verify installed version
pip show radare2-mcp | grep VersionStep 2: Restrict Network Exposure
If a patched version is not yet available or immediate upgrade is not possible:
# Bind the MCP server to localhost only
# Do NOT expose radare2-mcp on 0.0.0.0 or external interfaces
# Firewall: block external access to radare2-mcp port
sudo ufw deny from any to any port <mcp_port>
sudo ufw allow from 127.0.0.1 to any port <mcp_port>Step 3: Principle of Least Privilege
Run radare2-mcp under a dedicated low-privilege service account:
# Create a restricted service user
sudo useradd -r -s /bin/false radare2-mcp-svc
# Run radare2-mcp as this user
sudo -u radare2-mcp-svc radare2-mcpStep 4: Input Validation (Upstream Fix Guidance)
Upstream maintainers should implement strict allowlist-based command validation rather than denylist-based filter bypass protection. All user-controlled input must be escaped or validated before being passed to r2_cmd_str().
Detection Indicators
| Indicator | Description |
|---|---|
| Unexpected child processes spawned by radare2-mcp | Possible command injection exploitation |
| Unusual network connections from the radare2-mcp process | Reverse shell or C2 beaconing |
| Access to files outside expected binary analysis directories | Post-exploitation data access |
| Shell metacharacters in MCP server request logs | Injection attempt indicators |
| New user accounts or cron jobs created on host | Post-exploitation persistence |
Post-Remediation Checklist
- Update radare2-mcp to the latest patched release
- Restrict radare2-mcp binding to localhost or trusted interfaces only
- Audit recent MCP server request logs for shell metacharacter injection attempts
- Review process spawn history for unexpected child processes from radare2-mcp
- Rotate any credentials or API keys accessible to the radare2-mcp process environment
- Apply least-privilege service account for radare2-mcp
- Monitor network connections from the radare2-mcp host for unusual outbound traffic