CVE-2026-4496 is a medium-severity OS command injection vulnerability found in the sigmade Git-MCP-Server, a tool used for managing Git repositories. The vulnerability resides in the child_process.exec function call within the src/gitUtils.ts file, specifically in components handling merge diffs and file difference summaries (show_merge_diff/quick_merge_summary/show_file_diff). The issue arises because user-controlled input is passed unsafely to the exec function, allowing an attacker with local access and limited privileges to inject and execute arbitrary operating system commands. This can lead to unauthorized command execution, potentially compromising system confidentiality, integrity, and availability. The attack vector requires local access (AV:L) and low attack complexity (AC:L), with no authentication required beyond local presence (PR:L) and no user interaction (UI:N). The vulnerability affects a rolling release product without fixed versioning, complicating patch management. The vendor was notified but has not responded, and no official patch or mitigation guidance has been published. While no active exploitation in the wild is currently reported, public exploit code is available, increasing the risk of future attacks. The CVSS 4.0 base score is 4.8, reflecting medium severity due to limited scope and local attack requirements.

The vulnerability allows local attackers to execute arbitrary OS commands with the privileges of the Git-MCP-Server process, potentially leading to unauthorized data access, modification, or disruption of service. This can compromise the confidentiality and integrity of source code repositories managed by the server, impacting development workflows and potentially introducing malicious code. Availability may also be affected if attackers execute commands that disrupt server operations. Since exploitation requires local access, the risk is primarily to organizations with insufficient internal access controls or compromised user accounts. The lack of vendor response and patch availability increases the window of exposure. Organizations relying on Git-MCP-Server for critical development infrastructure could face operational disruptions and intellectual property theft if exploited.

Until an official patch is released, organizations should implement strict local access controls to limit who can interact with the Git-MCP-Server environment. This includes enforcing least privilege principles, restricting shell access, and monitoring for unusual command execution patterns. Employ application-level sandboxing or containerization to isolate the Git-MCP-Server process and limit the impact of potential command injection. Review and harden input validation and sanitization in the affected components if source code access and development resources are available. Regularly audit system logs for suspicious activity and consider deploying host-based intrusion detection systems (HIDS) to detect exploitation attempts. Coordinate with the vendor for updates and apply patches promptly once available. Additionally, consider network segmentation to isolate the server from sensitive systems and implement multi-factor authentication for local access where possible.