idachev mcp-javadc OS Command Injection via HTTP Interface (CVE-2026-5802)
A remote command injection vulnerability (CVE-2026-5802) exists in idachev mcp-javadc up to version 1.2.4 via the HTTP Interface by manipulating the jarFilePath argument, allowing unauthenticated attackers to execute arbitrary OS commands.
A critical OS command injection vulnerability, CVE-2026-5802, has been identified in idachev mcp-javadc, a Java decompiler, up to version 1.2.4. The vulnerability resides within the HTTP Interface component. By manipulating the jarFilePath argument, a remote attacker can inject and execute arbitrary operating system commands on the server. This vulnerability is remotely exploitable without authentication, increasing the severity. Publicly available exploits exist, potentially leading to widespread exploitation. The vendor has been notified through an issue report but has not yet responded.
Attack Chain
- The attacker sends a malicious HTTP request to the vulnerable
mcp-javadcserver. - The HTTP request targets the HTTP Interface component.
- The attacker crafts the request to manipulate the
jarFilePathargument. - The server-side code fails to properly sanitize the
jarFilePathargument. - The unsanitized
jarFilePathargument is passed to an operating system command. - The injected OS command is executed by the server with the privileges of the
mcp-javadcprocess. - The attacker gains arbitrary code execution on the server.
- The attacker can then perform further actions, such as data exfiltration, lateral movement, or denial of service.
Impact
Successful exploitation of CVE-2026-5802 allows unauthenticated remote attackers to execute arbitrary operating system commands on the affected system. This can lead to complete system compromise, including data theft, malware installation, and denial of service. As this vulnerability affects a software development tool, successful attacks could compromise software build pipelines, leading to supply chain attacks. The number of potential victims is currently unknown, but given the publicly available exploit, the risk of widespread exploitation is high.
Recommendation
- Apply available patches for
mcp-javadcif they become available. - Deploy the Sigma rule
Detect Suspicious JarFilePath Parameter in HTTP Requestto identify exploitation attempts targeting thejarFilePathparameter. - Monitor web server logs for unusual HTTP requests containing suspicious characters or command sequences within the
jarFilePathparameter. - Implement input validation and sanitization measures on the server-side to prevent command injection.
- Place the affected server in an isolated network segment to limit the impact of potential compromise.
Detection coverage 2
Detect Suspicious JarFilePath Parameter in HTTP Request
highDetects suspicious HTTP requests targeting the HTTP Interface component with a malicious jarFilePath parameter, indicative of command injection attempts.
Detect Command Execution via Web Server
criticalDetects command execution originating from the web server process, which could be a result of command injection.
Detection queries are available on the platform. Get full rules →