CVE-2026-25546 is an OS command injection vulnerability classified under CWE-78 affecting the godot-mcp server, a Model Context Protocol server used to interact with the Godot game engine. In versions prior to 0.1.1, the executeOperation function improperly handles user input by passing parameters like projectPath directly to the exec() function without sanitization or validation. This allows attackers to inject shell metacharacters (e.g., $(command), &calc) into these inputs, resulting in arbitrary command execution with the privileges of the MCP server process. The vulnerability impacts multiple commands that accept projectPath, including create_scene, add_node, and load_sprite, making it broadly exploitable within the godot-mcp context. Exploitation requires local access with limited privileges and user interaction but does not require authentication, increasing risk in multi-user or development environments. The vulnerability has been assigned a CVSS 3.1 score of 7.8 (high), reflecting its significant impact on confidentiality, integrity, and availability. The issue was patched in version 0.1.1 by properly sanitizing inputs and avoiding direct shell execution of user-controlled data. No known exploits have been reported in the wild, but the potential for remote code execution makes timely patching critical.

For European organizations, the impact of this vulnerability can be substantial, especially for those involved in game development or using the Godot engine with godot-mcp for automation or server-side operations. Successful exploitation could lead to full compromise of the MCP server process, allowing attackers to execute arbitrary commands, potentially leading to data theft, manipulation of game assets, disruption of development workflows, or pivoting to other internal systems. Confidentiality, integrity, and availability of development environments and associated infrastructure could be severely affected. Organizations relying on godot-mcp in continuous integration/continuous deployment (CI/CD) pipelines or collaborative development environments face increased risk due to the possibility of lateral movement. Although exploitation requires local access and user interaction, insider threats or compromised developer machines could leverage this vulnerability. The lack of authentication requirement for the vulnerable commands further exacerbates the risk in shared or poorly segmented environments.

European organizations should immediately upgrade godot-mcp to version 0.1.1 or later, where the vulnerability is patched. Until upgrading is possible, restrict access to the MCP server to trusted users only, ideally through network segmentation and strict access controls. Implement input validation and sanitization at the application layer to prevent injection of shell metacharacters in any user-supplied parameters. Employ application whitelisting or sandboxing techniques to limit the execution context of the MCP server process. Monitor logs for suspicious command execution patterns or unexpected shell invocations related to godot-mcp operations. Educate developers and operators about the risks of passing unsanitized input to shell commands and enforce secure coding practices. Consider deploying host-based intrusion detection systems (HIDS) to detect anomalous behavior on systems running godot-mcp. Finally, review and harden the overall security posture of development environments, including endpoint protection and least privilege principles.