The vulnerability identified as CVE-2026-4199 affects the bazinga012 mcp_code_executor software up to version 0.3.0. It resides specifically in the installDependencies function of the src/index.ts file, where improper input handling leads to command injection. This flaw allows an attacker with local access and low privileges to inject and execute arbitrary system commands, potentially compromising the host system. The attack vector is local, meaning remote exploitation is not feasible without prior access. The CVSS 4.0 vector indicates low attack complexity and no user interaction is required, but privileges are needed. The vulnerability impacts confidentiality, integrity, and availability by enabling unauthorized command execution. Although the exploit code is publicly available, no active exploitation in the wild has been reported. The vendor was notified early but has not issued a patch or response. This leaves users exposed until mitigations or updates are applied. The vulnerability is classified as medium severity due to the local access requirement and limited scope but remains a significant risk in environments where local access can be obtained by attackers or malicious insiders.

This vulnerability can lead to unauthorized command execution on systems running vulnerable versions of mcp_code_executor, potentially allowing attackers to escalate privileges, manipulate or exfiltrate sensitive data, disrupt services, or install persistent malware. Since exploitation requires local access, the threat is particularly relevant in multi-user environments, development machines, or compromised internal networks. Organizations relying on this software for code execution or dependency management could face integrity and availability issues if attackers leverage this flaw. The lack of vendor response and patch increases the risk exposure period. While remote exploitation is not possible directly, attackers who gain local foothold through other means could use this vulnerability to deepen their control, making it a valuable post-compromise tool. The medium severity rating reflects the balance between the attack complexity and potential damage, but the impact can be severe in targeted environments.

To mitigate this vulnerability, organizations should immediately restrict local access to systems running mcp_code_executor to trusted users only. Implement strict access controls and monitor for unusual local activity. Since no official patch is available, consider applying manual code reviews and sanitizing inputs in the installDependencies function to prevent command injection. Employ application whitelisting and endpoint detection solutions to detect anomalous command executions. Isolate environments running this software to limit lateral movement. Regularly audit logs for suspicious local command executions. If feasible, replace or avoid using vulnerable versions until a vendor patch is released. Engage with the vendor or community to encourage timely patch development. Additionally, educate developers and administrators about the risks of local command injection and enforce secure coding practices to prevent similar issues.