PatchSiren cyber security CVE debrief
CVE-2026-57860 tailcallhq CVE debrief
CVE-2026-57860: ForgeCode, an AI pair-programming CLI, executes MCP servers defined in a repository's .mcp.json file without user confirmation. A malicious repository can supply a crafted .mcp.json file that specifies arbitrary command and args values, leading to arbitrary code execution when a user runs the forge CLI inside a cloned untrusted repository. This vulnerability provides a reliable initial-access and persistence primitive against developers who evaluate untrusted repositories with ForgeCode. The likely operational impact is high, given the potential for code execution with user privileges.
- Vendor
- tailcallhq
- Product
- forgecode
- CVSS
- HIGH 8.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Developers who use ForgeCode and evaluate untrusted repositories should be aware of this vulnerability. They should exercise caution when working with untrusted repositories and consider implementing compensating controls to mitigate the risk. Affected operators include developers, platform administrators, and security teams responsible for vulnerability management.
Technical summary
The ForgeCode CLI automatically loads and executes MCP servers defined in a repository's .mcp.json file on startup without user confirmation. A malicious repository can craft a .mcp.json file with arbitrary command and args values, leading to code execution with the user's privileges when running the forge CLI in an untrusted repository. This vulnerability affects developers who use ForgeCode and evaluate untrusted repositories. The technical impact is arbitrary code execution, which provides a reliable initial-access and persistence primitive.
Defensive priority
High
Recommended defensive actions
- Verify the integrity of MCP JSON files in repositories before executing them.
- Implement compensating controls to restrict the execution of arbitrary commands.
- Monitor for suspicious activity when working with untrusted repositories.
- Consider using alternative tools or workflows that do not rely on automatic execution of MCP servers.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-17T17:17:16.777Z and has not been modified since then. The NVD entry is currently Deferred. The ForgeCode CLI's behavior of automatically loading and executing MCP servers defined in a repository's .mcp.json file without user confirmation poses a significant risk. Evidence of exploitation is not currently available, but defenders should verify the integrity of MCP JSON files in repositories before executing them and monitor for suspicious activity.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T17:17:16.777Z and has not been modified since then.