radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2_cmd_str(). Attackers can inject shell metacharacters through the jsonrpc interface parameters to achieve remote code execution on the host running radare2-mcp without requiring authentication.
References
| Link | Resource |
|---|---|
| https://github.com/radareorg/radare2-mcp/commit/482cde6500009112a8bc0b3fa8d2ef6180581ec0 | Patch |
| https://github.com/radareorg/radare2-mcp/issues/45 | Exploit Issue Tracking |
| https://www.vulncheck.com/advisories/radare2-mcp-os-command-injection-via-shell-metacharacter-bypass | Third Party Advisory |
Configurations
History
04 Jun 2026, 14:19
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Radare
Radare radare2 Mcp Server |
|
| CPE | cpe:2.3:a:radare:radare2_mcp_server:*:*:*:*:*:*:*:* | |
| References | () https://github.com/radareorg/radare2-mcp/commit/482cde6500009112a8bc0b3fa8d2ef6180581ec0 - Patch | |
| References | () https://github.com/radareorg/radare2-mcp/issues/45 - Exploit, Issue Tracking | |
| References | () https://www.vulncheck.com/advisories/radare2-mcp-os-command-injection-via-shell-metacharacter-bypass - Third Party Advisory |
29 Apr 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| CWE | CWE-78 |
24 Apr 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| CWE |
23 Apr 2026, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-23 21:16
Updated : 2026-06-04 14:19
NVD link : CVE-2026-6942
Mitre link : CVE-2026-6942
CVE.ORG link : CVE-2026-6942
JSON object : View
Products Affected
radare
- radare2_mcp_server
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')