Aider-MCP Command Injection Vulnerability (CVE-2026-7316)

A command injection vulnerability, identified as CVE-2026-7316, has been discovered in eiliyaabedini aider-mcp up to commit 667b914301aada695aab0e46d1fb3a7d5e32c8af. The vulnerability resides within an unspecified function of the aider_mcp.py file, specifically related to the code_with_ai component. An attacker can exploit this flaw by manipulating the working_dir/editable_files argument, leading to arbitrary command execution on the affected system. The exploit has been publicly disclosed, increasing the risk of exploitation. The aider-mcp project employs a rolling release model, which complicates identifying specific affected versions.

Attack Chain

1. A remote attacker identifies an instance of aider-mcp running with accessible aider_mcp.py code.
2. The attacker crafts a malicious payload containing OS commands, targeting the working_dir/editable_files argument of the vulnerable function within aider_mcp.py.
3. The attacker sends the crafted payload to the aider-mcp instance through a network request, potentially via HTTP or another supported protocol.
4. The vulnerable function in aider_mcp.py processes the attacker-supplied working_dir/editable_files argument without proper sanitization or validation.
5. The injected OS commands within the working_dir/editable_files argument are executed by the aider-mcp instance.
6. The attacker gains arbitrary command execution on the server, allowing them to perform actions such as reading sensitive files, modifying system configurations, or installing malware.
7. The attacker may establish persistence by creating a new user account or modifying startup scripts.
8. The attacker further compromises the system or pivots to other systems in the network.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary commands on the affected system. This could lead to complete system compromise, data theft, or denial of service. Given the public disclosure of the exploit, systems running vulnerable versions of aider-mcp are at significant risk.

Recommendation

• Monitor process creation events for commands being executed with a parent process associated with aider-mcp to detect potential command injection attempts using the AiderMCPCommandInjection Sigma rule.
• Inspect web server logs for suspicious requests containing unusual characters or command sequences in the working_dir or editable_files parameters that may indicate command injection attempts.
• While specific version information is unavailable, attempt to identify and patch any instances of aider-mcp using indicators of compromise or behavioral detections until a patched version is released.