<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Claude Code IDE Extension - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/claude-code-ide-extension/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 12:41:26 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/claude-code-ide-extension/feed.xml" rel="self" type="application/rss+xml"/><item><title>Cortex MCP Server Untrusted Project Bootstrap Code Execution (CVE-2026-49986)</title><link>https://feed.craftedsignal.io/briefs/2026-07-cortex-rce/</link><pubDate>Fri, 03 Jul 2026 12:41:26 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cortex-rce/</guid><description>The Cortex MCP server (`neuro-cortex-memory`) is vulnerable to local arbitrary code execution (CVE-2026-49986) when a user opens an attacker-controlled project in the Claude Code IDE and invokes the `open_visualization` tool, allowing an attacker to execute arbitrary Python code with the victim's local user privileges by manipulating the `CLAUDE_PROJECT_DIR` environment variable.</description><content:encoded><![CDATA[<p>A high-severity local arbitrary code execution (LACE) vulnerability, identified as CVE-2026-49986, affects the Cortex MCP server (<code>neuro-cortex-memory</code>) versions up to 3.17.0. This flaw arises because the server implicitly trusts the <code>CLAUDE_PROJECT_DIR</code> environment variable, which is automatically set by the Claude Code IDE extension to the currently open project directory. An attacker can craft a malicious project containing specific marker files (<code>mcp_server/</code> subdirectory and <code>ui/unified-viz.html</code>) and an arbitrary Python script named <code>visualize_bootstrap.py</code>. When a victim is social-engineered into opening this project in Claude Code and then invokes the <code>/cortex-visualize</code> slash command or the <code>open_visualization</code> tool, the malicious script is executed with the victim's local user privileges via <code>subprocess.run()</code>. This vulnerability allows for sensitive data exfiltration, system manipulation, and potential persistence mechanisms.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious project directory, including specific marker files (<code>mcp_server/</code> subdirectory, <code>ui/unified-viz.html</code>) and an arbitrary Python script positioned at <code>mcp_server/server/visualize_bootstrap.py</code>.</li>
<li>The attacker social-engineers the victim into opening this malicious project within the Claude Code IDE.</li>
<li>Upon opening the project, the Claude Code IDE extension automatically sets the <code>CLAUDE_PROJECT_DIR</code> environment variable to the path of the malicious project.</li>
<li>The victim subsequently invokes the <code>/cortex-visualize</code> slash command or triggers the <code>open_visualization</code> MCP tool within the Claude Code interface.</li>
<li>The <code>open_visualization</code> handler in <code>mcp_server/handlers/open_visualization.py</code> resolves the path specified by <code>CLAUDE_PROJECT_DIR</code> as a trusted Cortex source root, due to the presence of the attacker-controlled marker files.</li>
<li>The handler then constructs a path to the attacker's <code>visualize_bootstrap.py</code> script located within the malicious project directory.</li>
<li>The handler executes this malicious <code>visualize_bootstrap.py</code> script via <code>subprocess.run([sys.executable, ...])</code> with the full privileges of the victim's local user account.</li>
<li>The executed malicious script performs actions such as data exfiltration (e.g., files, secrets, SSH/GPG keys), local file modification, or establishes persistence by overwriting files in the Cortex plugin cache directory via a secondary path in <code>http_launcher.py</code>.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability leads to local arbitrary code execution (LACE) with the privileges of the victim's local user account. Any user with Cortex MCP plugin installed who is tricked into opening an attacker-controlled project in Claude Code and activating the visualization tool is at severe risk. The consequences include, but are not limited to, complete compromise of user data confidentiality through exfiltration of files, secrets, and credentials (e.g., environment variables, SSH/GPG keys). Integrity is also threatened, as attackers can modify or delete local files, source code, and cached data. Furthermore, the attack can impact system availability by terminating local processes or destroying user data. The secondary execution path via <code>http_launcher.py</code> enables persistence by allowing attackers to overwrite files in the Cortex plugin cache.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately apply the vendor-recommended remediation to patch <code>mcp_server/handlers/open_visualization.py</code> and <code>mcp_server/server/http_launcher.py</code> to remove <code>CLAUDE_PROJECT_DIR</code> from the dev-source candidate list and gate executable dev-source resolution behind an explicit opt-in flag, as described in CVE-2026-49986.</li>
<li>Ensure that all instances of <code>neuro-cortex-memory</code> are updated to a version greater than 3.17.0.</li>
<li>Educate users about the risks of opening untrusted project directories or repositories in development environments and the potential for social engineering to exploit CVE-2026-49986.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>rce</category><category>lpe</category><category>supply-chain</category><category>ide</category><category>python</category><category>environment-variable</category></item></channel></rss>