PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-57860 tailcallhq CVE debrief

CVE-2026-57860: ForgeCode, an AI pair-programming CLI, executes MCP servers defined in a repository's .mcp.json file without user confirmation. A malicious repository can supply a crafted .mcp.json file that specifies arbitrary command and args values, leading to arbitrary code execution when a user runs the forge CLI inside a cloned untrusted repository. This vulnerability provides a reliable initial-access and persistence primitive against developers who evaluate untrusted repositories with ForgeCode. The likely operational impact is high, given the potential for code execution with user privileges.

Vendor
tailcallhq
Product
forgecode
CVSS
HIGH 8.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Developers who use ForgeCode and evaluate untrusted repositories should be aware of this vulnerability. They should exercise caution when working with untrusted repositories and consider implementing compensating controls to mitigate the risk. Affected operators include developers, platform administrators, and security teams responsible for vulnerability management.

Technical summary

The ForgeCode CLI automatically loads and executes MCP servers defined in a repository's .mcp.json file on startup without user confirmation. A malicious repository can craft a .mcp.json file with arbitrary command and args values, leading to code execution with the user's privileges when running the forge CLI in an untrusted repository. This vulnerability affects developers who use ForgeCode and evaluate untrusted repositories. The technical impact is arbitrary code execution, which provides a reliable initial-access and persistence primitive.

Defensive priority

High

Recommended defensive actions

  • Verify the integrity of MCP JSON files in repositories before executing them.
  • Implement compensating controls to restrict the execution of arbitrary commands.
  • Monitor for suspicious activity when working with untrusted repositories.
  • Consider using alternative tools or workflows that do not rely on automatic execution of MCP servers.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-17T17:17:16.777Z and has not been modified since then. The NVD entry is currently Deferred. The ForgeCode CLI's behavior of automatically loading and executing MCP servers defined in a repository's .mcp.json file without user confirmation poses a significant risk. Evidence of exploitation is not currently available, but defenders should verify the integrity of MCP JSON files in repositories before executing them and monitor for suspicious activity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:16.777Z and has not been modified since then.