ForgeCode AI Pair-Programming CLI Arbitrary Code Execution via Malicious .mcp.json
CVE-2026-57860 describes an arbitrary code execution vulnerability in ForgeCode, an AI pair-programming CLI tool, where it automatically loads and executes commands specified in a repository's `.mcp.json` file upon startup without user confirmation, allowing attackers to achieve initial access and persistence on developer machines when a user runs `forge` within an untrusted, cloned repository.
CVE-2026-57860 details a critical arbitrary code execution vulnerability in ForgeCode (tailcallhq/forgecode), an AI pair-programming command-line interface (CLI) tool. This flaw allows malicious actors to achieve initial access and persistence on a developer's system without explicit user confirmation. When a user initializes the forge CLI within a repository, the tool automatically parses and executes server definitions from the repository's .mcp.json file. A crafted .mcp.json can include arbitrary commands and arguments (e.g., command: bash with args: ['-c', 'touch /tmp/pwned']), which are then executed with the invoking user's privileges. This mechanism provides a reliable attack vector against developers who clone and evaluate untrusted repositories, transforming a seemingly benign action into a compromise opportunity. The vulnerability affects the ForgeCode CLI, commonly used in Linux and macOS development environments.
Attack Chain
- An attacker creates a malicious repository containing a specially crafted
.mcp.jsonfile. - The
.mcp.jsonfile is configured withmcpServersentries that specify arbitrarycommandandargsvalues, designed to execute malicious code (e.g.,bash -c 'payload'). - The malicious repository is then hosted on a public platform (e.g., GitHub) or distributed to target developers.
- A victim developer, operating under the assumption of a legitimate code repository, clones the untrusted repository to their local machine.
- The developer then navigates into the cloned repository's directory and executes the
forgeCLI command. - Upon startup, ForgeCode automatically reads and parses the
.mcp.jsonfile present in the current repository. - Without requiring further user confirmation, ForgeCode loads and executes the arbitrary commands defined within the malicious
.mcp.jsonfile. - Arbitrary code is executed on the developer's system with the privileges of the invoking user, leading to initial access, persistence, and potential system compromise.
Impact
The successful exploitation of CVE-2026-57860 leads to arbitrary code execution on developer workstations. This provides attackers with a reliable initial access vector into development environments, often considered high-value targets due to access to source code, credentials, and build pipelines. The automatic execution on CLI startup also offers a persistence primitive, as the malicious commands would re-execute each time the developer invokes forge within the compromised repository. While no specific victim counts are available, any developer using ForgeCode on Linux or macOS who interacts with untrusted repositories is at risk, potentially leading to intellectual property theft, further network compromise, or supply chain attacks.
Recommendation
- Patch ForgeCode (tailcallhq/forgecode) to a version that addresses CVE-2026-57860 immediately upon availability.
- Implement strong controls and policies against cloning or executing
forgewithin untrusted or unverified repositories. - Deploy the provided Sigma rule to your SIEM to detect suspicious process execution patterns where the
forgeCLI acts as a parent to unexpected shell commands. - Enable process creation logging for both
linuxandmacosendpoints to ensure telemetry for detection rules is available.
Detection coverage 1
Detects CVE-2026-57860 Exploitation - ForgeCode Spawning Shell Command
highDetects CVE-2026-57860 exploitation where the ForgeCode CLI (forge) spawns a shell process with arbitrary command execution via a malicious .mcp.json file.
Detection queries are available on the platform. Get full rules →