CVE-2026-49986
Python Analisi e mitigazione delle vulnerabilità

Panoramica

CVE-2026-49986 is an untrusted project bootstrap code execution vulnerability in the Cortex MCP server (neuro-cortex-memory) that allows local attackers to execute arbitrary Python code by placing crafted marker files in a malicious project directory. The vulnerability affects all versions of neuro-cortex-memory up to and including 3.17.0, with version 3.17.1 containing the fix. It was first published by the maintainer on May 27, 2026, and added to the GitHub Advisory Database on July 1, 2026. The CVSS v3.1 base score is 7.8 (High), and the CVSS v4.0 base score is 7.1 (High) (GitHub Advisory, Cortex Advisory).

Dettagli tecnici

The root cause is classified as CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The _find_dev_source() function in mcp_server/handlers/open_visualization.py iterates over both CORTEX_DEV_ROOT and CLAUDE_PROJECT_DIR environment variables to build a list of candidate Cortex source root directories. Since CLAUDE_PROJECT_DIR is automatically set by the Claude Code IDE extension to the currently open project directory, any project a user opens is silently treated as a potential Cortex developer checkout. The only validation performed by _is_cortex_root() is checking for the presence of an mcp_server/ subdirectory and a ui/unified-viz.html file — trivially replicable markers — after which mcp_server/server/visualize_bootstrap.py is executed unconditionally via subprocess.run([sys.executable, ...]). A secondary execution path exists in mcp_server/server/http_launcher.py, where the same untrusted source is used to rsync attacker-controlled files into the Cortex plugin cache. A public proof-of-concept is included in the advisory (GitHub Advisory, Cortex Advisory).

Impatto

Successful exploitation results in arbitrary Python code execution with the full privileges of the victim's local user account — the same account running Claude Code and the Cortex MCP server process. Confidentiality impact includes exfiltration of local files, secrets, environment variables, and SSH/GPG keys. Integrity and availability impacts include modification or deletion of local files, source code, credentials, and plugin caches, as well as termination of local processes. The secondary http_launcher.py path additionally allows an attacker to overwrite files in the Cortex plugin cache directory, potentially establishing persistence that survives after the malicious project is closed (Cortex Advisory).

Passaggi di sfruttamento

  1. Craft malicious repository: Create a directory containing the two marker files required to pass _is_cortex_root() validation: mcp_server/ (subdirectory) and ui/unified-viz.html (file with any content).
  2. Plant malicious bootstrap script: Place an arbitrary Python payload at mcp_server/server/visualize_bootstrap.py within the crafted directory (e.g., a reverse shell, credential exfiltration script, or persistence mechanism).
  3. Social-engineer the victim: Distribute the malicious repository (e.g., via GitHub, email, or a shared link) and convince the victim to clone or open it in Claude Code. When opened, Claude Code automatically sets CLAUDE_PROJECT_DIR to the malicious directory.
  4. Trigger the vulnerable tool: Wait for or prompt the victim to invoke the open_visualization MCP tool — for example, by suggesting they run the /cortex-visualize slash command in the Claude Code interface.
  5. Achieve code execution: _find_dev_source() reads CLAUDE_PROJECT_DIR, _is_cortex_root() validates the trivial markers, and subprocess.run([sys.executable, 'mcp_server/server/visualize_bootstrap.py']) executes the attacker's payload with the victim's local user privileges (Cortex Advisory).

Indicatori di compromesso

  • File System: Presence of mcp_server/ subdirectory and ui/unified-viz.html in a non-Cortex project directory opened in Claude Code; unexpected or modified files in the Cortex plugin cache directory; creation of sentinel or payload files in /tmp/ (e.g., /tmp/cortex-open-visualization-poc-owned).
  • Process: Unexpected Python child processes spawned by the Cortex MCP server process executing scripts from user project directories (e.g., python mcp_server/server/visualize_bootstrap.py from a non-standard path); rsync processes initiated by http_launcher.py copying files from a user project directory into the Cortex plugin cache.
  • Logs: MCP server logs showing open_visualization tool invocations followed by subprocess.run calls referencing paths outside the legitimate Cortex installation directory; unexpected outbound network connections from the Python process after tool invocation (Cortex Advisory).

Mitigazione e soluzioni alternative

Upgrade neuro-cortex-memory to version 3.17.1 or later, which removes CLAUDE_PROJECT_DIR from the dev-source candidate list and gates executable dev-source resolution behind an explicit opt-in requiring both CORTEX_DEV_SOURCE_SYNC=1 and CORTEX_DEV_ROOT to be set. The same fix must be applied to mcp_server/server/http_launcher.py to eliminate the secondary rsync execution path. As a temporary workaround for users unable to upgrade immediately, ensure CLAUDE_PROJECT_DIR is not set in the environment where the Cortex MCP server runs, or avoid invoking the open_visualization tool when untrusted project directories are open (Cortex Release, Cortex Advisory).

Reazioni della comunità

The vulnerability was reported by researcher useworld and analyzed by EQSTLab, as credited in the official advisory. The fix was published by maintainer cdeust on May 27, 2026, the same day the advisory was disclosed, indicating a coordinated disclosure process. No significant broader media coverage or notable community commentary beyond the advisory itself has been identified at this time (Cortex Advisory).

Risorse aggiuntive


FonteQuesto report è stato generato utilizzando l'intelligenza artificiale

Imparentato Python Vulnerabilità:

CVE ID

Severità

Punteggio

Tecnologie

Nome del componente

Exploit CISA KEV

Ha la correzione

Data di pubblicazione

CVE-2026-57585HIGH7.5
  • Python logoPython
  • python-pip
NoJun 30, 2026
CVE-2026-12243HIGH7.5
  • Python logoPython
  • nltk
NoNoJun 30, 2026
CVE-2026-49986HIGH7.1
  • Python logoPython
  • neuro-cortex-memory
NoJul 01, 2026
CVE-2026-57204MEDIUM6.9
  • Python logoPython
  • pypdf
NoJun 30, 2026
GHSA-75mw-h36v-2jv7MEDIUM6.1
  • Python logoPython
  • dosage
NoJun 26, 2026

Valutazione gratuita delle vulnerabilità

Benchmark della tua posizione di sicurezza del cloud

Valuta le tue pratiche di sicurezza cloud in 9 domini di sicurezza per confrontare il tuo livello di rischio e identificare le lacune nelle tue difese.

Richiedi valutazione

Richiedi una demo personalizzata

Pronti a vedere Wiz in azione?

"La migliore esperienza utente che abbia mai visto offre piena visibilità ai carichi di lavoro cloud."
David EstlickCISO (CISO)
"Wiz fornisce un unico pannello di controllo per vedere cosa sta succedendo nei nostri ambienti cloud."
Adam FletcherResponsabile della sicurezza
"Sappiamo che se Wiz identifica qualcosa come critico, in realtà lo è."
Greg PoniatowskiResponsabile della gestione delle minacce e delle vulnerabilità