Cortex MCP Server Untrusted Project Bootstrap Code Execution (CVE-2026-49986)
The Cortex MCP server (`neuro-cortex-memory`) is vulnerable to local arbitrary code execution (CVE-2026-49986) when a user opens an attacker-controlled project in the Claude Code IDE and invokes the `open_visualization` tool, allowing an attacker to execute arbitrary Python code with the victim's local user privileges by manipulating the `CLAUDE_PROJECT_DIR` environment variable.
A high-severity local arbitrary code execution (LACE) vulnerability, identified as CVE-2026-49986, affects the Cortex MCP server (neuro-cortex-memory) versions up to 3.17.0. This flaw arises because the server implicitly trusts the CLAUDE_PROJECT_DIR environment variable, which is automatically set by the Claude Code IDE extension to the currently open project directory. An attacker can craft a malicious project containing specific marker files (mcp_server/ subdirectory and ui/unified-viz.html) and an arbitrary Python script named visualize_bootstrap.py. When a victim is social-engineered into opening this project in Claude Code and then invokes the /cortex-visualize slash command or the open_visualization tool, the malicious script is executed with the victim's local user privileges via subprocess.run(). This vulnerability allows for sensitive data exfiltration, system manipulation, and potential persistence mechanisms.
Attack Chain
- An attacker crafts a malicious project directory, including specific marker files (
mcp_server/subdirectory,ui/unified-viz.html) and an arbitrary Python script positioned atmcp_server/server/visualize_bootstrap.py. - The attacker social-engineers the victim into opening this malicious project within the Claude Code IDE.
- Upon opening the project, the Claude Code IDE extension automatically sets the
CLAUDE_PROJECT_DIRenvironment variable to the path of the malicious project. - The victim subsequently invokes the
/cortex-visualizeslash command or triggers theopen_visualizationMCP tool within the Claude Code interface. - The
open_visualizationhandler inmcp_server/handlers/open_visualization.pyresolves the path specified byCLAUDE_PROJECT_DIRas a trusted Cortex source root, due to the presence of the attacker-controlled marker files. - The handler then constructs a path to the attacker's
visualize_bootstrap.pyscript located within the malicious project directory. - The handler executes this malicious
visualize_bootstrap.pyscript viasubprocess.run([sys.executable, ...])with the full privileges of the victim's local user account. - The executed malicious script performs actions such as data exfiltration (e.g., files, secrets, SSH/GPG keys), local file modification, or establishes persistence by overwriting files in the Cortex plugin cache directory via a secondary path in
http_launcher.py.
Impact
This vulnerability leads to local arbitrary code execution (LACE) with the privileges of the victim's local user account. Any user with Cortex MCP plugin installed who is tricked into opening an attacker-controlled project in Claude Code and activating the visualization tool is at severe risk. The consequences include, but are not limited to, complete compromise of user data confidentiality through exfiltration of files, secrets, and credentials (e.g., environment variables, SSH/GPG keys). Integrity is also threatened, as attackers can modify or delete local files, source code, and cached data. Furthermore, the attack can impact system availability by terminating local processes or destroying user data. The secondary execution path via http_launcher.py enables persistence by allowing attackers to overwrite files in the Cortex plugin cache.
Recommendation
- Immediately apply the vendor-recommended remediation to patch
mcp_server/handlers/open_visualization.pyandmcp_server/server/http_launcher.pyto removeCLAUDE_PROJECT_DIRfrom the dev-source candidate list and gate executable dev-source resolution behind an explicit opt-in flag, as described in CVE-2026-49986. - Ensure that all instances of
neuro-cortex-memoryare updated to a version greater than 3.17.0. - Educate users about the risks of opening untrusted project directories or repositories in development environments and the potential for social engineering to exploit CVE-2026-49986.