{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/claude-code-ide-extension/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["neuro-cortex-memory \u003c= 3.17.0","Claude Code IDE extension"],"_cs_severities":["high"],"_cs_tags":["rce","lpe","supply-chain","ide","python","environment-variable"],"_cs_type":"advisory","_cs_vendors":["Cortex","Claude Code"],"content_html":"\u003cp\u003eA high-severity local arbitrary code execution (LACE) vulnerability, identified as CVE-2026-49986, affects the Cortex MCP server (\u003ccode\u003eneuro-cortex-memory\u003c/code\u003e) versions up to 3.17.0. This flaw arises because the server implicitly trusts the \u003ccode\u003eCLAUDE_PROJECT_DIR\u003c/code\u003e environment variable, which is automatically set by the Claude Code IDE extension to the currently open project directory. An attacker can craft a malicious project containing specific marker files (\u003ccode\u003emcp_server/\u003c/code\u003e subdirectory and \u003ccode\u003eui/unified-viz.html\u003c/code\u003e) and an arbitrary Python script named \u003ccode\u003evisualize_bootstrap.py\u003c/code\u003e. When a victim is social-engineered into opening this project in Claude Code and then invokes the \u003ccode\u003e/cortex-visualize\u003c/code\u003e slash command or the \u003ccode\u003eopen_visualization\u003c/code\u003e tool, the malicious script is executed with the victim's local user privileges via \u003ccode\u003esubprocess.run()\u003c/code\u003e. This vulnerability allows for sensitive data exfiltration, system manipulation, and potential persistence mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious project directory, including specific marker files (\u003ccode\u003emcp_server/\u003c/code\u003e subdirectory, \u003ccode\u003eui/unified-viz.html\u003c/code\u003e) and an arbitrary Python script positioned at \u003ccode\u003emcp_server/server/visualize_bootstrap.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker social-engineers the victim into opening this malicious project within the Claude Code IDE.\u003c/li\u003e\n\u003cli\u003eUpon opening the project, the Claude Code IDE extension automatically sets the \u003ccode\u003eCLAUDE_PROJECT_DIR\u003c/code\u003e environment variable to the path of the malicious project.\u003c/li\u003e\n\u003cli\u003eThe victim subsequently invokes the \u003ccode\u003e/cortex-visualize\u003c/code\u003e slash command or triggers the \u003ccode\u003eopen_visualization\u003c/code\u003e MCP tool within the Claude Code interface.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eopen_visualization\u003c/code\u003e handler in \u003ccode\u003emcp_server/handlers/open_visualization.py\u003c/code\u003e resolves the path specified by \u003ccode\u003eCLAUDE_PROJECT_DIR\u003c/code\u003e as a trusted Cortex source root, due to the presence of the attacker-controlled marker files.\u003c/li\u003e\n\u003cli\u003eThe handler then constructs a path to the attacker's \u003ccode\u003evisualize_bootstrap.py\u003c/code\u003e script located within the malicious project directory.\u003c/li\u003e\n\u003cli\u003eThe handler executes this malicious \u003ccode\u003evisualize_bootstrap.py\u003c/code\u003e script via \u003ccode\u003esubprocess.run([sys.executable, ...])\u003c/code\u003e with the full privileges of the victim's local user account.\u003c/li\u003e\n\u003cli\u003eThe executed malicious script performs actions such as data exfiltration (e.g., files, secrets, SSH/GPG keys), local file modification, or establishes persistence by overwriting files in the Cortex plugin cache directory via a secondary path in \u003ccode\u003ehttp_launcher.py\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability leads to local arbitrary code execution (LACE) with the privileges of the victim's local user account. Any user with Cortex MCP plugin installed who is tricked into opening an attacker-controlled project in Claude Code and activating the visualization tool is at severe risk. The consequences include, but are not limited to, complete compromise of user data confidentiality through exfiltration of files, secrets, and credentials (e.g., environment variables, SSH/GPG keys). Integrity is also threatened, as attackers can modify or delete local files, source code, and cached data. Furthermore, the attack can impact system availability by terminating local processes or destroying user data. The secondary execution path via \u003ccode\u003ehttp_launcher.py\u003c/code\u003e enables persistence by allowing attackers to overwrite files in the Cortex plugin cache.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply the vendor-recommended remediation to patch \u003ccode\u003emcp_server/handlers/open_visualization.py\u003c/code\u003e and \u003ccode\u003emcp_server/server/http_launcher.py\u003c/code\u003e to remove \u003ccode\u003eCLAUDE_PROJECT_DIR\u003c/code\u003e from the dev-source candidate list and gate executable dev-source resolution behind an explicit opt-in flag, as described in CVE-2026-49986.\u003c/li\u003e\n\u003cli\u003eEnsure that all instances of \u003ccode\u003eneuro-cortex-memory\u003c/code\u003e are updated to a version greater than 3.17.0.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening untrusted project directories or repositories in development environments and the potential for social engineering to exploit CVE-2026-49986.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T12:41:26Z","date_published":"2026-07-03T12:41:26Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cortex-rce/","summary":"The Cortex MCP server (`neuro-cortex-memory`) is vulnerable to local arbitrary code execution (CVE-2026-49986) when a user opens an attacker-controlled project in the Claude Code IDE and invokes the `open_visualization` tool, allowing an attacker to execute arbitrary Python code with the victim's local user privileges by manipulating the `CLAUDE_PROJECT_DIR` environment variable.","title":"Cortex MCP Server Untrusted Project Bootstrap Code Execution (CVE-2026-49986)","url":"https://feed.craftedsignal.io/briefs/2026-07-cortex-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Claude Code IDE Extension","version":"https://jsonfeed.org/version/1.1"}