High

Remote Code Execution in Agent Zero External MCP Servers Configuration

IdentifiersCVE-2026-30624CWE-78

Agent Zero 0.9.8 contains a remote code execution vulnerability in the External MCP Servers configuration feature. The application accepts MCP server definitions in JSON that include user-controlled command and args values, and executes those values when the configuration is applied without sufficient validation or restriction. Because the feature launches attacker-supplied operating system commands directly from configuration data, a malicious MCP configuration can cause arbitrary command execution on the host running Agent Zero. The issue is part of a broader unsafe STDIO/MCP configuration pattern described by researchers across multiple AI tooling products.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary operating system command execution in the context of the Agent Zero process. Depending on how Agent Zero is deployed, this can lead to full compromise of the host or container, access to application data, theft of credentials, API keys, and other secrets available to the process, installation of persistence mechanisms, lateral movement, and broader environment compromise.

Mitigation

If you can’t patch tonight, do this now.

Do not allow untrusted users or untrusted artifacts to supply External MCP Server JSON configurations. Restrict access to MCP configuration functionality to highly trusted administrators only. Treat all external MCP configuration as untrusted input. Where possible, disable STDIO/process-spawning MCP integrations and prefer non-local transports that do not launch local commands. Run Agent Zero with least privilege, isolate it in a hardened container or sandbox, restrict outbound network access, and monitor for unexpected child-process creation and suspicious command execution.

Remediation

Patch, then assume compromise.

Upgrade to a vendor-fixed release if one is available; the provided content does not specify a patched Agent Zero version. The vulnerable behavior should be remediated by preventing execution of arbitrary user-supplied command and args values in External MCP Servers configuration, enforcing strict allowlisting of safe transports and server definitions, and introducing isolation or sandboxing for any necessary MCP server execution. If the feature is not essential, disable or remove support for externally supplied STDIO-style MCP server configurations.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Agent-ZeroAgent-Zeroapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

obsidian security blogNews

May 28, 2026

1-Click RCE in Flowise (CVE-2026-40933): When Is stdio MCP Actually a Vulnerability?

A CVE assigned to Agent Zero in the context of stdio MCP or code-execution behavior in hosted single-user AI web services.

the hacker newsNews

Apr 20, 2026

Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain

A vulnerability in Agent Zero caused by unsafe MCP STDIO configuration behavior that may permit command execution on the server.

ox security blogNews

Apr 15, 2026

MCP STDIO Command Injection: Full Vulnerability Advisory

A critical remote command execution vulnerability in Agent Zero due to insufficient validation of arbitrary command and args values in MCP server configuration.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-30624

NVD

nvd.nist.gov/vuln/detail/CVE-2026-30624

MITRE CWE · CWE-78

cwe.mitre.org

Third Party Advisory

ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem