A high-severity OS command injection vulnerability (CVE-2026-6130) has been disclosed in Chatbox AI versions 1.20.0 and earlier, exposing users to remote arbitrary command execution via the application’s Model Context Protocol (MCP) Server Management System, with no vendor patch currently available.
Chatbox AI (chatboxai/chatbox) is a widely adopted open-source desktop AI client and smart assistant that allows users to connect to multiple large language model (LLM) providers, including OpenAI, Claude, Google Gemini, and locally hosted models, through a unified interface.
The application has gained significant traction in the developer and AI enthusiast community for its built-in support for the Model Context Protocol (MCP), which enables rich integration with external tools, APIs, and server-side capabilities.
As MCP adoption has surged in 2026, so too has its attack surface, and CVE-2026-6130 is the latest demonstration of that risk.
Chatbox AI Vulnerability
Disclosed on April 12, 2026, CVE-2026-6130 is an OS command injection vulnerability rooted in the StdioClientTransport function located at src/main/mcp/ipc-stdio-transport.ts within Chatbox’s MCP Server Management System.
The flaw is assigned two overlapping weaknesses: CWE-77 (Improper Neutralization of Special Elements in a Command) and CWE-78 (Improper Neutralization of Special Elements in an OS Command), reflecting the layered nature of the injection path.
The vulnerability was reported to the project maintainers through GitHub Issue #3627, but as of the publication date, the project has not responded to the disclosure.
| CVSS Version | Score | Severity | Vector |
|---|---|---|---|
| CVSS v2.0 | 7.5 | HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| CVSS v3.1 | 7.3 | HIGH | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| CVSS v4.0 | 6.9 | MEDIUM | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L |
How Remote OS Command Injection Attack Works
The core issue lies in how Chatbox’s MCP IPC transport layer processes user-supplied input. The StdioClientTransport The class responsible for managing inter-process communication between the Chatbox frontend and spawned MCP server processes uses the args and env arguments to construct OS-level commands that launch subprocess servers.
When these arguments are passed without proper sanitization or neutralization of shell metacharacters, an attacker can embed malicious command sequences that the underlying OS shell interprets and executes directly.
This pattern is conceptually identical to other high-profile MCP injection vulnerabilities discovered throughout early 2026, including argument injection flaws in Anthropic’s own official Git MCP server that achieved remote code execution through prompt injection alone.
In the Chatbox case, the stdio transport channel, which is designed to pipe JSON-RPC messages between the host process and MCP servers, becomes the conduit for injected OS commands, bypassing any application-layer filtering.
Because the attack vector is network-accessible (AV: N) and requires no authentication (PR: N) or user interaction (UI: N), exploitation can be triggered remotely by a malicious MCP server configuration or by a crafted payload delivered through the user’s AI workflow.
The CVSS v3.1 score of 7.3 HIGH with an exploitability subscore of 3.9 and a base vector of AV:N/AC:L/PR:N/UI:N confirms that exploitation is low-complexity and requires no special privileges. Classified the exploit as published and ready to use, elevating its urgency from theoretical to actively weaponizable.
Broader MCP Security Context
This vulnerability does not exist in a vacuum. The MCP ecosystem has been under sustained attack scrutiny in 2026, with Trend Micro identifying 492 unauthenticated MCP servers exposed to the internet and SecurityScorecard flagging over 135,000 OpenClaw instances at risk.
BlueRock Security analyzed over 7,000 MCP servers and found that 36.7% were potentially vulnerable to server-side request forgery (SSRF).
Research has repeatedly shown that STDIO-based transports, like the one in ChatbChatbox, are particularly susceptible when argument validation is absent.
The Azure DevOps MCP authentication bypass (CVE-2026-32211, CVSS 9.1), patched earlier this month, similarly demonstrates that MCP integration points are becoming primary targets for attackers seeking lateral movement into developer environments.
Affected Versions & Mitigation
- Affected versions: Chatbox AI (chatboxai/chatbChatbox1.20.0
- No official patch has been released at the time of publication, and the vendor has not responded to the GitHub issue report.
Until an official patch is released, security teams and users should take the following precautionary steps:
- Disable MCP server integrations in Chatbox until the vendor addresses the flaw, particularly any that accept external or user-defined
args/envvalues - Restrict Chatbox from running in privileged contexts to prevent it from executing the application as a system administrator or root user.
- Audit the MCP server configurations for suspicious or unexpected changes.
command,args, orenventries in config files - Monitor for anomalous subprocess spawning originating from the Chatbox process, especially unexpected shell interpreter invocations (e.g.,
cmd.exe,/bin/bash) - Pin and review MCP server package versions and block auto-approval settings for new MCP server additions
Frequently Asked Questions (FAQ)
Q1: What is CVE-2026-6130?
It is a HIGH-severity OS command injection flaw in Chatbox AI ≤ v1.20.0, enabling remote arbitrary command execution via unsanitized input. args/env arguments in the MCP StdioClientTransport function.
Q2: Is there an active exploit for CVE-2026-6130?
Yes, confirms the exploit has been publicly published and is available for use, making unpatched Chatbox installations immediately at risk.
Q3: What CVSS score is assigned to CVE-2026-6130?
Assigns it a CVSS v3.1 score of 7.3 (HIGH) and a CVSS v4.0 score of 6.9 (MEDIUM), with a fully network-accessible, zero-authentication attack vector.
Q4: Has the Chatbox vendor released a patch for CVE-2026-6130?
As of April 13, 2026, the Chatbox project has not responded to the responsible disclosure report submitted via GitHub Issue #3627.
Site: http://thecybrdef.com
Reference:
About the Author
