CVE-2026-49986
Python Análise e mitigação de vulnerabilidades

Visão geral

CVE-2026-49986 is an untrusted project bootstrap code execution vulnerability in the Cortex MCP server (neuro-cortex-memory) that allows local attackers to execute arbitrary Python code by placing crafted marker files in a malicious project directory. The vulnerability affects all versions of neuro-cortex-memory up to and including 3.17.0, with version 3.17.1 containing the fix. It was first published by the maintainer on May 27, 2026, and added to the GitHub Advisory Database on July 1, 2026. The CVSS v3.1 base score is 7.8 (High), and the CVSS v4.0 base score is 7.1 (High) (GitHub Advisory, Cortex Advisory).

Detalhes técnicos

The root cause is classified as CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The _find_dev_source() function in mcp_server/handlers/open_visualization.py iterates over both CORTEX_DEV_ROOT and CLAUDE_PROJECT_DIR environment variables to build a list of candidate Cortex source root directories. Since CLAUDE_PROJECT_DIR is automatically set by the Claude Code IDE extension to the currently open project directory, any project a user opens is silently treated as a potential Cortex developer checkout. The only validation performed by _is_cortex_root() is checking for the presence of an mcp_server/ subdirectory and a ui/unified-viz.html file — trivially replicable markers — after which mcp_server/server/visualize_bootstrap.py is executed unconditionally via subprocess.run([sys.executable, ...]). A secondary execution path exists in mcp_server/server/http_launcher.py, where the same untrusted source is used to rsync attacker-controlled files into the Cortex plugin cache. A public proof-of-concept is included in the advisory (GitHub Advisory, Cortex Advisory).

Impacto

Successful exploitation results in arbitrary Python code execution with the full privileges of the victim's local user account — the same account running Claude Code and the Cortex MCP server process. Confidentiality impact includes exfiltration of local files, secrets, environment variables, and SSH/GPG keys. Integrity and availability impacts include modification or deletion of local files, source code, credentials, and plugin caches, as well as termination of local processes. The secondary http_launcher.py path additionally allows an attacker to overwrite files in the Cortex plugin cache directory, potentially establishing persistence that survives after the malicious project is closed (Cortex Advisory).

Etapas de exploração

  1. Craft malicious repository: Create a directory containing the two marker files required to pass _is_cortex_root() validation: mcp_server/ (subdirectory) and ui/unified-viz.html (file with any content).
  2. Plant malicious bootstrap script: Place an arbitrary Python payload at mcp_server/server/visualize_bootstrap.py within the crafted directory (e.g., a reverse shell, credential exfiltration script, or persistence mechanism).
  3. Social-engineer the victim: Distribute the malicious repository (e.g., via GitHub, email, or a shared link) and convince the victim to clone or open it in Claude Code. When opened, Claude Code automatically sets CLAUDE_PROJECT_DIR to the malicious directory.
  4. Trigger the vulnerable tool: Wait for or prompt the victim to invoke the open_visualization MCP tool — for example, by suggesting they run the /cortex-visualize slash command in the Claude Code interface.
  5. Achieve code execution: _find_dev_source() reads CLAUDE_PROJECT_DIR, _is_cortex_root() validates the trivial markers, and subprocess.run([sys.executable, 'mcp_server/server/visualize_bootstrap.py']) executes the attacker's payload with the victim's local user privileges (Cortex Advisory).

Indicadores de compromisso

  • File System: Presence of mcp_server/ subdirectory and ui/unified-viz.html in a non-Cortex project directory opened in Claude Code; unexpected or modified files in the Cortex plugin cache directory; creation of sentinel or payload files in /tmp/ (e.g., /tmp/cortex-open-visualization-poc-owned).
  • Process: Unexpected Python child processes spawned by the Cortex MCP server process executing scripts from user project directories (e.g., python mcp_server/server/visualize_bootstrap.py from a non-standard path); rsync processes initiated by http_launcher.py copying files from a user project directory into the Cortex plugin cache.
  • Logs: MCP server logs showing open_visualization tool invocations followed by subprocess.run calls referencing paths outside the legitimate Cortex installation directory; unexpected outbound network connections from the Python process after tool invocation (Cortex Advisory).

Mitigação e soluções alternativas

Upgrade neuro-cortex-memory to version 3.17.1 or later, which removes CLAUDE_PROJECT_DIR from the dev-source candidate list and gates executable dev-source resolution behind an explicit opt-in requiring both CORTEX_DEV_SOURCE_SYNC=1 and CORTEX_DEV_ROOT to be set. The same fix must be applied to mcp_server/server/http_launcher.py to eliminate the secondary rsync execution path. As a temporary workaround for users unable to upgrade immediately, ensure CLAUDE_PROJECT_DIR is not set in the environment where the Cortex MCP server runs, or avoid invoking the open_visualization tool when untrusted project directories are open (Cortex Release, Cortex Advisory).

Reações da comunidade

The vulnerability was reported by researcher useworld and analyzed by EQSTLab, as credited in the official advisory. The fix was published by maintainer cdeust on May 27, 2026, the same day the advisory was disclosed, indicating a coordinated disclosure process. No significant broader media coverage or notable community commentary beyond the advisory itself has been identified at this time (Cortex Advisory).

Recursos adicionais


OrigemEste relatório foi gerado usando IA

Relacionado Python Vulnerabilidades:

CVE ID

Gravidade

Pontuação

Tecnologias

Nome do componente

Exploração do CISA KEV

Tem correção

Data de publicação

CVE-2026-57585HIGH7.5
  • Python logoPython
  • python-pip
NãoSimJun 30, 2026
CVE-2026-12243HIGH7.5
  • Python logoPython
  • nltk
NãoNãoJun 30, 2026
CVE-2026-49986HIGH7.1
  • Python logoPython
  • neuro-cortex-memory
NãoSimJul 01, 2026
CVE-2026-57204MEDIUM6.9
  • Python logoPython
  • pypdf
NãoSimJun 30, 2026
GHSA-75mw-h36v-2jv7MEDIUM6.1
  • Python logoPython
  • dosage
NãoSimJun 26, 2026

Avaliação de vulnerabilidade gratuita

Compare sua postura de segurança na nuvem

Avalie suas práticas de segurança na nuvem em 9 domínios de segurança para comparar seu nível de risco e identificar lacunas em suas defesas.

Solicitar avaliação

Marque uma demonstração personalizada

Pronto para ver a Wiz em ação?

"A melhor experiência do usuário que eu já vi, fornece visibilidade total para cargas de trabalho na nuvem."
David EstlickCISO
"A Wiz fornece um único painel de vidro para ver o que está acontecendo em nossos ambientes de nuvem."
Adão FletcherDiretor de Segurança
"Sabemos que se a Wiz identifica algo como crítico, na verdade é."
Greg PoniatowskiChefe de Gerenciamento de Ameaças e Vulnerabilidades