CVE-2026-26029 is an OS command injection vulnerability classified under CWE-78 found in the sf-mcp-server product by akutishevsky, which implements a Salesforce MCP server for Claude for Desktop. The vulnerability stems from the unsafe use of Node.js's child_process.exec function to run Salesforce CLI commands constructed with user-supplied input. Because the input is not properly sanitized or neutralized, attackers can inject arbitrary shell commands that the MCP server process executes with its privileges. This can lead to full system compromise, including unauthorized data access, modification, or destruction, and disruption of service. The vulnerability affects all versions prior to 1.0.3 and was published on February 11, 2026. The CVSS v3.1 base score is 7.5, reflecting network attack vector, high impact on confidentiality, integrity, and availability, no privileges required, but user interaction is necessary. No public exploits are known yet, but the nature of the vulnerability makes it a critical risk if exploited. The flaw is particularly dangerous because it allows remote attackers to execute arbitrary commands without authentication, leveraging user interaction to trigger the exploit. The vulnerability highlights the importance of secure coding practices when handling external input in command execution contexts.

For European organizations, exploitation of this vulnerability could lead to severe consequences including unauthorized access to sensitive Salesforce data, disruption of business operations relying on the MCP server, and potential lateral movement within corporate networks. Given the integration of Salesforce in many European enterprises for CRM and business processes, a successful attack could compromise customer data, intellectual property, and internal communications. The arbitrary command execution capability could also be leveraged to deploy malware, ransomware, or establish persistent backdoors. This would impact confidentiality, integrity, and availability of critical systems. Additionally, regulatory compliance risks arise, especially under GDPR, due to potential data breaches. The requirement for user interaction somewhat limits automated exploitation but does not eliminate risk, particularly in environments where social engineering or phishing could be used to trigger the vulnerability. The lack of known exploits currently provides a window for remediation before widespread attacks occur.

1. Immediately upgrade sf-mcp-server to version 1.0.3 or later where the vulnerability is patched. 2. Implement strict input validation and sanitization on all user inputs that influence command execution to prevent injection of malicious shell commands. 3. Avoid using child_process.exec with unsanitized input; prefer safer alternatives such as child_process.spawn with argument arrays or dedicated APIs that do not invoke shell parsing. 4. Restrict the privileges of the MCP server process to the minimum necessary, employing least privilege principles to limit the impact of any compromise. 5. Employ application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block suspicious command execution attempts. 6. Educate users about social engineering risks since user interaction is required for exploitation. 7. Monitor logs and system behavior for unusual command execution patterns indicative of exploitation attempts. 8. Conduct regular security audits and code reviews focusing on command execution and input handling practices.