
PEACH
Un framework di isolamento del tenant
CVE-2026-49986 is an untrusted project bootstrap code execution vulnerability in the Cortex MCP server (neuro-cortex-memory) that allows local attackers to execute arbitrary Python code by placing crafted marker files in a malicious project directory. The vulnerability affects all versions of neuro-cortex-memory up to and including 3.17.0, with version 3.17.1 containing the fix. It was first published by the maintainer on May 27, 2026, and added to the GitHub Advisory Database on July 1, 2026. The CVSS v3.1 base score is 7.8 (High), and the CVSS v4.0 base score is 7.1 (High) (GitHub Advisory, Cortex Advisory).
The root cause is classified as CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The _find_dev_source() function in mcp_server/handlers/open_visualization.py iterates over both CORTEX_DEV_ROOT and CLAUDE_PROJECT_DIR environment variables to build a list of candidate Cortex source root directories. Since CLAUDE_PROJECT_DIR is automatically set by the Claude Code IDE extension to the currently open project directory, any project a user opens is silently treated as a potential Cortex developer checkout. The only validation performed by _is_cortex_root() is checking for the presence of an mcp_server/ subdirectory and a ui/unified-viz.html file — trivially replicable markers — after which mcp_server/server/visualize_bootstrap.py is executed unconditionally via subprocess.run([sys.executable, ...]). A secondary execution path exists in mcp_server/server/http_launcher.py, where the same untrusted source is used to rsync attacker-controlled files into the Cortex plugin cache. A public proof-of-concept is included in the advisory (GitHub Advisory, Cortex Advisory).
Successful exploitation results in arbitrary Python code execution with the full privileges of the victim's local user account — the same account running Claude Code and the Cortex MCP server process. Confidentiality impact includes exfiltration of local files, secrets, environment variables, and SSH/GPG keys. Integrity and availability impacts include modification or deletion of local files, source code, credentials, and plugin caches, as well as termination of local processes. The secondary http_launcher.py path additionally allows an attacker to overwrite files in the Cortex plugin cache directory, potentially establishing persistence that survives after the malicious project is closed (Cortex Advisory).
_is_cortex_root() validation: mcp_server/ (subdirectory) and ui/unified-viz.html (file with any content).mcp_server/server/visualize_bootstrap.py within the crafted directory (e.g., a reverse shell, credential exfiltration script, or persistence mechanism).CLAUDE_PROJECT_DIR to the malicious directory.open_visualization MCP tool — for example, by suggesting they run the /cortex-visualize slash command in the Claude Code interface._find_dev_source() reads CLAUDE_PROJECT_DIR, _is_cortex_root() validates the trivial markers, and subprocess.run([sys.executable, 'mcp_server/server/visualize_bootstrap.py']) executes the attacker's payload with the victim's local user privileges (Cortex Advisory).mcp_server/ subdirectory and ui/unified-viz.html in a non-Cortex project directory opened in Claude Code; unexpected or modified files in the Cortex plugin cache directory; creation of sentinel or payload files in /tmp/ (e.g., /tmp/cortex-open-visualization-poc-owned).python mcp_server/server/visualize_bootstrap.py from a non-standard path); rsync processes initiated by http_launcher.py copying files from a user project directory into the Cortex plugin cache.open_visualization tool invocations followed by subprocess.run calls referencing paths outside the legitimate Cortex installation directory; unexpected outbound network connections from the Python process after tool invocation (Cortex Advisory).Upgrade neuro-cortex-memory to version 3.17.1 or later, which removes CLAUDE_PROJECT_DIR from the dev-source candidate list and gates executable dev-source resolution behind an explicit opt-in requiring both CORTEX_DEV_SOURCE_SYNC=1 and CORTEX_DEV_ROOT to be set. The same fix must be applied to mcp_server/server/http_launcher.py to eliminate the secondary rsync execution path. As a temporary workaround for users unable to upgrade immediately, ensure CLAUDE_PROJECT_DIR is not set in the environment where the Cortex MCP server runs, or avoid invoking the open_visualization tool when untrusted project directories are open (Cortex Release, Cortex Advisory).
The vulnerability was reported by researcher useworld and analyzed by EQSTLab, as credited in the official advisory. The fix was published by maintainer cdeust on May 27, 2026, the same day the advisory was disclosed, indicating a coordinated disclosure process. No significant broader media coverage or notable community commentary beyond the advisory itself has been identified at this time (Cortex Advisory).
Fonte: Questo report è stato generato utilizzando l'intelligenza artificiale
Valutazione gratuita delle vulnerabilità
Valuta le tue pratiche di sicurezza cloud in 9 domini di sicurezza per confrontare il tuo livello di rischio e identificare le lacune nelle tue difese.
Richiedi una demo personalizzata
"La migliore esperienza utente che abbia mai visto offre piena visibilità ai carichi di lavoro cloud."
"Wiz fornisce un unico pannello di controllo per vedere cosa sta succedendo nei nostri ambienti cloud."
"Sappiamo che se Wiz identifica qualcosa come critico, in realtà lo è."