Before you open this issue
Behavioral fingerprint
An MCP tool's own server-side handler code passes a caller-supplied tool-call parameter value into a shell/system-command execution call without sanitization, achieving arbitrary OS command execution independent of any LLM reasoning or prompt content — a non-agentic attacker can trigger it with a raw, crafted JSON-RPC tool-call request.
Why this is a new class, not a variant
Checked against AVE-2026-00004 (Shell Pipe Injection) and AVE-2026-00033 (Unsafe Deserialization). Both describe skill/prompt content instructing the agent, via natural language, to construct and run a dangerous command — the vulnerability lives in what the text tells the LLM to do, and detection is content-layer prompt scanning.
This candidate is different in kind: a classic CWE-78 flaw in the tool's own implementation code (e.g. an execAsync handler). No LLM instruction-following is involved — the flaw fires on a raw tool-call parameter value regardless of how or why that value arrived. Detection requires SAST/code review of the server's source, not content-layer prompt scanning. Folding this into 00004 would erase the distinction between prompt-driven misuse of a legitimate capability and a code-level injection bug in the capability's own implementation.
Primary source
NVD CVE-2026-0755 — gemini-mcp-tool v1.1.2, CWE-78 (OS Command Injection), CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Root cause: the execAsync method fails to validate a user-supplied string before passing it to a system call. Corroborated by Snyk SNYK-JS-GEMINIMCPTOOL-15091895 and the GitLab Advisory Database. Verified directly against NVD, not taken from search-summary text.
Proposed record skeleton
attack_class: Tool Abuse - Implementation Command Injection (naming open to discussion —
first record describing a code-level flaw in a tool's OWN implementation
rather than prompt-driven misuse; may warrant its own category)
severity: CRITICAL (est.)
owasp_mcp: [MCP05, MCP04] (MCP05 = Command Injection and Execution, exact-match
category per crosswalks/ave-to-owasp-mcp.md; MCP04 = Software Supply Chain
Attacks, secondary, since the flaw ships inside a distributed tool package)
owasp_asi: (none proposed — TBD during implementation)
mitre_atlas: none — classic CWE-78, outside ATLAS's ML-adversarial-technique scope (checked)
detection_layer: content (closest existing enum value — this scans the tool's OWN source,
not a skill/prompt file; flagging that this stretches the current five-layer
taxonomy's naming slightly, worth a decision during implementation)
detection_stage: static_detection
evidence_basis_engines: [semgrep, pattern]
Note: this repo completed a v1.1.0 field rename (owasp_mapping → owasp_asi,
mitre_atlas_mapping → mitre_atlas) after .github/ISSUE_TEMPLATE/01_ave_submission.md
was last written — the template still shows the pre-rename field names. Using the current
(post-migration) names above since that's what schema/ave-record-1.1.0.schema.json
actually validates against; the template is due for a small doc-sync follow-up.
Real-world evidence
CVE-2026-0755, CVSS 9.8, patched in gemini-mcp-tool 1.1.6. Real, disclosed, unauthenticated RCE — pushes THM toward 1.0 in AIVSS scoring.
Indicators of compromise
- Tool handler code passes a raw, caller-supplied string parameter directly into
exec() / execSync() / child_process.exec() / execAsync() with no argument-array separation or shell-metacharacter escaping
- Absence of an allowlist or sanitization step between a tool's declared parameter schema and its shell/system-call invocation
Researcher
Bawbel Security Research Team (research-new-attack-classes skill run, 2026-07-10)
Before you open this issue
records/directoryBehavioral fingerprint
An MCP tool's own server-side handler code passes a caller-supplied tool-call parameter value into a shell/system-command execution call without sanitization, achieving arbitrary OS command execution independent of any LLM reasoning or prompt content — a non-agentic attacker can trigger it with a raw, crafted JSON-RPC tool-call request.
Why this is a new class, not a variant
Checked against AVE-2026-00004 (Shell Pipe Injection) and AVE-2026-00033 (Unsafe Deserialization). Both describe skill/prompt content instructing the agent, via natural language, to construct and run a dangerous command — the vulnerability lives in what the text tells the LLM to do, and detection is content-layer prompt scanning.
This candidate is different in kind: a classic CWE-78 flaw in the tool's own implementation code (e.g. an
execAsynchandler). No LLM instruction-following is involved — the flaw fires on a raw tool-call parameter value regardless of how or why that value arrived. Detection requires SAST/code review of the server's source, not content-layer prompt scanning. Folding this into 00004 would erase the distinction between prompt-driven misuse of a legitimate capability and a code-level injection bug in the capability's own implementation.Primary source
NVD CVE-2026-0755 — gemini-mcp-tool v1.1.2, CWE-78 (OS Command Injection), CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Root cause: the
execAsyncmethod fails to validate a user-supplied string before passing it to a system call. Corroborated by Snyk SNYK-JS-GEMINIMCPTOOL-15091895 and the GitLab Advisory Database. Verified directly against NVD, not taken from search-summary text.Proposed record skeleton
Note: this repo completed a v1.1.0 field rename (
owasp_mapping→owasp_asi,mitre_atlas_mapping→mitre_atlas) after.github/ISSUE_TEMPLATE/01_ave_submission.mdwas last written — the template still shows the pre-rename field names. Using the current
(post-migration) names above since that's what
schema/ave-record-1.1.0.schema.jsonactually validates against; the template is due for a small doc-sync follow-up.
Real-world evidence
CVE-2026-0755, CVSS 9.8, patched in gemini-mcp-tool 1.1.6. Real, disclosed, unauthenticated RCE — pushes THM toward 1.0 in AIVSS scoring.
Indicators of compromise
exec()/execSync()/child_process.exec()/execAsync()with no argument-array separation or shell-metacharacter escapingResearcher
Bawbel Security Research Team (research-new-attack-classes skill run, 2026-07-10)