CVE-2026-58195 in agentic-flow
Summary
by MITRE • 07/17/2026
Agentic-Flow is an AI agent orchestration platform. Prior to 2.0.14, agentic-flow MCP server tools in src/mcp/standalone-stdio.ts, src/mcp/fastmcp/servers/claude-flow-sdk.ts, src/mcp/fastmcp/servers/stdio-full.ts, src/mcp/fastmcp/servers/http-streaming-updated.ts, src/mcp/fastmcp/servers/http-sse.ts, src/mcp/fastmcp/servers/poc-stdio.ts, src/mcp/fastmcp/tools/agent/{execute,list,parallel}.ts, src/mcp/fastmcp/tools/swarm/orchestrate.ts, and src/mcp/fastmcp/tools/hooks/pretrain.ts interpolated attacker-influenceable tool parameters such as agent, task, name, language, and agentdb directly into shell command strings passed to execSync(), allowing arbitrary OS command execution with the privileges of the MCP server user. This issue is fixed in version 2.0.14.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/17/2026
This vulnerability exists within the Agentic-Flow AI orchestration platform where multiple server implementations and tool components fail to properly sanitize user-supplied input before incorporating it into shell command executions. The affected files span across various MCP server configurations including standalone stdio, fastmcp servers with different protocols, and agent execution tools that handle task orchestration and parallel processing. The core flaw manifests when attacker-controllable parameters such as agent identifiers, task descriptions, names, language specifications, and database references are directly interpolated into shell command strings without proper validation or sanitization.
The technical implementation of this vulnerability leverages the execSync() function which executes shell commands synchronously and inherits the privileges of the running MCP server process. When these functions receive input from untrusted sources through the tool parameters mentioned in the affected code paths, the interpolation creates a classic command injection scenario where malicious input can manipulate the intended system behavior. This allows an attacker to execute arbitrary operating system commands with the same privileges as the MCP server user, potentially leading to complete system compromise if the server operates with elevated permissions.
The operational impact of this vulnerability is severe and multifaceted across multiple attack vectors. An attacker could leverage this weakness to escalate privileges, access sensitive data stored in the agent database, install backdoors, or perform lateral movement within a network environment where Agentic-Flow is deployed. The vulnerability affects both local and remote execution contexts since many of these tools are designed for distributed orchestration, meaning an attacker could potentially exploit this from outside the local network if proper network segmentation is not implemented. The attack surface is further expanded by the presence of multiple vulnerable code paths that all share similar patterns of insecure parameter handling.
This vulnerability aligns with CWE-78 which specifically addresses OS Command Injection, representing a fundamental security flaw in input validation and sanitization practices. The issue also maps to ATT&CK technique T1059.001 for command and scripting interpreter execution, and potentially T1566 for initial access through compromised applications. Multiple mitigation strategies should be implemented including immediate patching to version 2.0.14 which resolves the issue, input validation and sanitization of all parameters before shell command construction, implementing proper parameter escaping for shell contexts, using alternative secure execution methods that avoid shell interpretation entirely, and reducing the privilege level of the MCP server process to minimize potential damage from successful exploitation attempts.