CVE-2026-57860 in ForgeCode
Summary
by MITRE • 07/17/2026
ForgeCode (tailcallhq/forgecode), an AI pair-programming CLI, automatically loads and executes the MCP servers defined in a repository's .mcp.json file on startup without user confirmation. A malicious repository can supply a crafted .mcp.json whose mcpServers entries specify arbitrary command and args values (for example, command: bash with args: ['-c', 'touch /tmp/pwned']). When a user runs the forge CLI inside a cloned untrusted repository, the specified commands are spawned with the invoking user's privileges, resulting in arbitrary code execution. This provides a reliable initial-access and persistence primitive against developers who evaluate untrusted repositories with ForgeCode.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
This vulnerability exists in ForgeCode version 0.1.32 and earlier, where the application automatically loads and executes MCP servers defined in repository configuration files without requiring user confirmation or validation. The core flaw resides in the improper handling of untrusted configuration data, specifically the .mcp.json file that defines mcpServers entries containing command execution parameters. When a user clones and navigates into an untrusted repository containing a maliciously crafted .mcp.json file, ForgeCode executes the specified commands with the privileges of the invoking user, creating a critical privilege escalation vector.
The technical implementation of this vulnerability stems from a lack of input validation and sanitization in the configuration loading process. The application directly spawns processes using the command and args values specified in the mcpServers entries without any verification of their legitimacy or safety. This behavior aligns with CWE-78, which describes improper neutralization of special elements used in OS commands, and CWE-15, which addresses external control of system state. The vulnerability enables arbitrary code execution through the command injection mechanism where attackers can specify any executable command and its arguments, allowing for complete system compromise when executed by developers.
The operational impact of this vulnerability is severe as it provides a reliable initial access and persistence primitive against developers who routinely evaluate untrusted repositories. Attackers can craft malicious .mcp.json files that execute commands such as creating backdoor files, establishing reverse shells, or exfiltrating sensitive data from the developer's environment. This attack vector leverages the trust relationship between developers and their development tools, making it particularly dangerous in environments where developers frequently clone and test repositories from untrusted sources. The vulnerability is especially concerning because it operates at the tool level rather than requiring exploitation of specific application vulnerabilities, making it more accessible to attackers with minimal technical expertise.
The security implications extend beyond immediate code execution to include potential privilege escalation and persistence mechanisms. Attackers can use this vulnerability to establish footholds within development environments, potentially accessing source code repositories, build systems, or other sensitive infrastructure. The attack pattern follows the initial access phase of the kill chain, where attackers gain entry through legitimate tools and processes. Mitigation strategies should include implementing strict configuration file validation, requiring explicit user confirmation for executing external commands, and employing sandboxing mechanisms. Organizations should also consider implementing security awareness training to prevent developers from inadvertently executing malicious code through trusted development tools. Additionally, this vulnerability demonstrates the importance of following secure coding practices such as those outlined in the OWASP Secure Coding Practices and aligns with ATT&CK technique T1059.004 for command and scripting interpreter.