Platform
nodejs
Component
mcp-server-taskwarrior
Fixed in
1.0.1
1.0.2
1.0.2
CVE-2026-5833 represents a Command Injection vulnerability discovered in the awwaiid mcp-server-taskwarrior component. This flaw allows an attacker to inject and execute arbitrary commands on the system, potentially leading to unauthorized access and control. The vulnerability affects versions of mcp-server-taskwarrior up to and including 1.0.1. A patch addressing this issue has been released, and upgrading to version 1.0.2 is recommended.
A command injection vulnerability has been identified in awwaiid mcp-server-taskwarrior up to version 1.0.1 (CVE-2026-5833). This vulnerability affects the server.setRequestHandler function in the index.ts file. A local attacker can manipulate the Identifier argument to execute arbitrary commands on the system. The vulnerability's severity is rated as 5.3 according to CVSS. The fact that exploitation is possible locally and has been publicly disclosed increases the risk. This vulnerability could allow an attacker to compromise system integrity and potentially gain unauthorized access to sensitive data.
The vulnerability requires local access to the system where awwaiid mcp-server-taskwarrior is running. A local attacker could exploit the vulnerability by manipulating the Identifier argument in the server.setRequestHandler function. The public disclosure of the exploit means that the necessary information to exploit the vulnerability is available to a wider audience, increasing the likelihood of attacks. The local nature of the exploitation limits the risk of direct remote attacks, but still represents a significant threat to systems with compromised local access.
Exploit Status
EPSS
0.30% (53% percentile)
CISA SSVC
CVSS Vector
The recommended solution is to upgrade to version 1.0.2 of awwaiid mcp-server-taskwarrior. This version includes a fix for the command injection vulnerability. The specific patch is 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2. Ensure you apply the update as soon as possible to mitigate the risk. Additionally, review security configurations and access permissions to limit the potential impact in case of successful exploitation. The vendor has been contacted and responded, indicating a commitment to security.
Aplica la actualización a la versión 1.0.2 o superior para mitigar la vulnerabilidad de inyección de comandos. La actualización incluye una corrección en la función `server.setRequestHandler` que evita la manipulación del argumento `Identifier`. Consulta el commit `1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2` para más detalles.
Vulnerability analysis and critical alerts directly to your inbox.
It's a unique identifier for a security vulnerability in awwaiid mcp-server-taskwarrior.
It allows the execution of arbitrary commands on the system if local access is obtained.
Upgrade to version 1.0.2 of awwaiid mcp-server-taskwarrior.
The patch is 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2 and is included in version 1.0.2.
Yes, the vendor has been contacted and has responded.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.