CVE-2026-25546 is an OS command injection vulnerability classified under CWE-78 affecting the godot-mcp server, a Model Context Protocol server used to interact with the Godot game engine. The root cause is the executeOperation function passing user-controlled input, specifically the projectPath parameter, directly to the exec() system call without proper sanitization or neutralization of shell metacharacters. This allows attackers to inject arbitrary shell commands using constructs like $(command) or &calc, which the shell interprets and executes with the privileges of the MCP server process. The vulnerability affects all operations that accept projectPath, including create_scene, add_node, and load_sprite, making it broadly exploitable within the godot-mcp functionality. The vulnerability requires user interaction but no authentication, increasing the attack surface especially in environments where godot-mcp is exposed to untrusted users or network segments. The vulnerability was publicly disclosed on February 4, 2026, with a CVSS v3.1 score of 7.8, indicating high severity. Although no known exploits are currently reported in the wild, the ease of exploitation and potential impact on confidentiality, integrity, and availability make it critical to address. The vendor has released version 0.1.1 which patches this issue by properly sanitizing inputs before passing them to exec().

For European organizations, the impact of this vulnerability can be significant, especially for those involved in game development, digital media, or any sector leveraging the Godot engine and godot-mcp for automation or integration. Successful exploitation could lead to remote code execution, allowing attackers to compromise the confidentiality of sensitive project data, alter or corrupt game assets or code (integrity), and disrupt development workflows or production environments (availability). This could result in intellectual property theft, sabotage of development pipelines, or broader network compromise if the MCP server privileges extend beyond isolated environments. Given the high CVSS score and the nature of the vulnerability, organizations face a risk of lateral movement and persistent compromise if the MCP server is accessible from less trusted networks or exposed to external users. The absence of required authentication and the reliance on user interaction mean phishing or social engineering could facilitate exploitation. The impact is amplified in environments where godot-mcp is integrated into continuous integration/continuous deployment (CI/CD) pipelines or automated build systems.

European organizations should immediately upgrade all godot-mcp instances to version 0.1.1 or later to apply the official patch that neutralizes shell metacharacters in user inputs. Until patching is possible, restrict network access to the MCP server to trusted internal networks only, employing strict firewall rules and network segmentation to minimize exposure. Implement input validation and sanitization at the application layer to reject or escape shell metacharacters in parameters like projectPath. Employ application-level logging and monitoring to detect anomalous command execution patterns or unexpected process spawning. Use least privilege principles for the MCP server process, ensuring it runs with minimal permissions to limit the impact of potential exploitation. Educate developers and users about the risks of interacting with untrusted inputs and the importance of applying updates promptly. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions to detect and block suspicious command injection attempts. Finally, review and audit CI/CD pipelines and integration points for exposure to this vulnerability.