CVE-2026-49986
Python Schwachstellenanalyse und -minderung

Überblick

CVE-2026-49986 is an untrusted project bootstrap code execution vulnerability in the Cortex MCP server (neuro-cortex-memory) that allows local attackers to execute arbitrary Python code by placing crafted marker files in a malicious project directory. The vulnerability affects all versions of neuro-cortex-memory up to and including 3.17.0, with version 3.17.1 containing the fix. It was first published by the maintainer on May 27, 2026, and added to the GitHub Advisory Database on July 1, 2026. The CVSS v3.1 base score is 7.8 (High), and the CVSS v4.0 base score is 7.1 (High) (GitHub Advisory, Cortex Advisory).

Technische Details

The root cause is classified as CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The _find_dev_source() function in mcp_server/handlers/open_visualization.py iterates over both CORTEX_DEV_ROOT and CLAUDE_PROJECT_DIR environment variables to build a list of candidate Cortex source root directories. Since CLAUDE_PROJECT_DIR is automatically set by the Claude Code IDE extension to the currently open project directory, any project a user opens is silently treated as a potential Cortex developer checkout. The only validation performed by _is_cortex_root() is checking for the presence of an mcp_server/ subdirectory and a ui/unified-viz.html file — trivially replicable markers — after which mcp_server/server/visualize_bootstrap.py is executed unconditionally via subprocess.run([sys.executable, ...]). A secondary execution path exists in mcp_server/server/http_launcher.py, where the same untrusted source is used to rsync attacker-controlled files into the Cortex plugin cache. A public proof-of-concept is included in the advisory (GitHub Advisory, Cortex Advisory).

Aufprall

Successful exploitation results in arbitrary Python code execution with the full privileges of the victim's local user account — the same account running Claude Code and the Cortex MCP server process. Confidentiality impact includes exfiltration of local files, secrets, environment variables, and SSH/GPG keys. Integrity and availability impacts include modification or deletion of local files, source code, credentials, and plugin caches, as well as termination of local processes. The secondary http_launcher.py path additionally allows an attacker to overwrite files in the Cortex plugin cache directory, potentially establishing persistence that survives after the malicious project is closed (Cortex Advisory).

Ausnutzungsschritte

  1. Craft malicious repository: Create a directory containing the two marker files required to pass _is_cortex_root() validation: mcp_server/ (subdirectory) and ui/unified-viz.html (file with any content).
  2. Plant malicious bootstrap script: Place an arbitrary Python payload at mcp_server/server/visualize_bootstrap.py within the crafted directory (e.g., a reverse shell, credential exfiltration script, or persistence mechanism).
  3. Social-engineer the victim: Distribute the malicious repository (e.g., via GitHub, email, or a shared link) and convince the victim to clone or open it in Claude Code. When opened, Claude Code automatically sets CLAUDE_PROJECT_DIR to the malicious directory.
  4. Trigger the vulnerable tool: Wait for or prompt the victim to invoke the open_visualization MCP tool — for example, by suggesting they run the /cortex-visualize slash command in the Claude Code interface.
  5. Achieve code execution: _find_dev_source() reads CLAUDE_PROJECT_DIR, _is_cortex_root() validates the trivial markers, and subprocess.run([sys.executable, 'mcp_server/server/visualize_bootstrap.py']) executes the attacker's payload with the victim's local user privileges (Cortex Advisory).

Indikatoren für Kompromittierung

  • File System: Presence of mcp_server/ subdirectory and ui/unified-viz.html in a non-Cortex project directory opened in Claude Code; unexpected or modified files in the Cortex plugin cache directory; creation of sentinel or payload files in /tmp/ (e.g., /tmp/cortex-open-visualization-poc-owned).
  • Process: Unexpected Python child processes spawned by the Cortex MCP server process executing scripts from user project directories (e.g., python mcp_server/server/visualize_bootstrap.py from a non-standard path); rsync processes initiated by http_launcher.py copying files from a user project directory into the Cortex plugin cache.
  • Logs: MCP server logs showing open_visualization tool invocations followed by subprocess.run calls referencing paths outside the legitimate Cortex installation directory; unexpected outbound network connections from the Python process after tool invocation (Cortex Advisory).

Risikominderung und Problemumgehungen

Upgrade neuro-cortex-memory to version 3.17.1 or later, which removes CLAUDE_PROJECT_DIR from the dev-source candidate list and gates executable dev-source resolution behind an explicit opt-in requiring both CORTEX_DEV_SOURCE_SYNC=1 and CORTEX_DEV_ROOT to be set. The same fix must be applied to mcp_server/server/http_launcher.py to eliminate the secondary rsync execution path. As a temporary workaround for users unable to upgrade immediately, ensure CLAUDE_PROJECT_DIR is not set in the environment where the Cortex MCP server runs, or avoid invoking the open_visualization tool when untrusted project directories are open (Cortex Release, Cortex Advisory).

Reaktionen der Community

The vulnerability was reported by researcher useworld and analyzed by EQSTLab, as credited in the official advisory. The fix was published by maintainer cdeust on May 27, 2026, the same day the advisory was disclosed, indicating a coordinated disclosure process. No significant broader media coverage or notable community commentary beyond the advisory itself has been identified at this time (Cortex Advisory).

Zusätzliche Ressourcen


QuelleDieser Bericht wurde mithilfe von KI erstellt

Verwandt Python Schwachstellen:

CVE-Kennung

Strenge

Punktzahl

Technologieen

Name der Komponente

CISA KEV-Exploit

Hat fix

Veröffentlichungsdatum

CVE-2026-57585HIGH7.5
  • Python logoPython
  • python-pip
NeinJaJun 30, 2026
CVE-2026-12243HIGH7.5
  • Python logoPython
  • nltk
NeinNeinJun 30, 2026
CVE-2026-49986HIGH7.1
  • Python logoPython
  • neuro-cortex-memory
NeinJaJul 01, 2026
CVE-2026-57204MEDIUM6.9
  • Python logoPython
  • pypdf
NeinJaJun 30, 2026
GHSA-75mw-h36v-2jv7MEDIUM6.1
  • Python logoPython
  • dosage
NeinJaJun 26, 2026

Kostenlose Schwachstellenbewertung

Benchmarking Ihrer Cloud-Sicherheitslage

Bewerten Sie Ihre Cloud-Sicherheitspraktiken in 9 Sicherheitsbereichen, um Ihr Risikoniveau zu bewerten und Lücken in Ihren Abwehrmaßnahmen zu identifizieren.

Bewertung anfordern

Eine personalisierte Demo anfordern

Sind Sie bereit, Wiz in Aktion zu sehen?

"Die beste Benutzererfahrung, die ich je gesehen habe, bietet vollständige Transparenz für Cloud-Workloads."
David EstlickCISO
"„Wiz bietet eine zentrale Oberfläche, um zu sehen, was in unseren Cloud-Umgebungen vor sich geht.“ "
Adam FletcherSicherheitsbeauftragter
"„Wir wissen, dass, wenn Wiz etwas als kritisch identifiziert, es auch wirklich kritisch ist.“"
Greg PoniatowskiLeiter Bedrohungs- und Schwachstellenmanagement