Skip to content
Hermes Codex

CVE-2026-30624: Agent Zero External MCP Servers Command Injection

Sommaire exécutif (Executive Summary)

Section titled “Sommaire exécutif (Executive Summary)”

Agent Zero 0.9.8 contains a critical remote command execution (RCE) vulnerability in its External MCP Servers configuration feature. By providing a crafted JSON configuration, an unauthenticated attacker can execute arbitrary commands on the underlying host with the privileges of the Agent Zero process. This vulnerability is highly critical due to its direct impact on host integrity and potential for lateral movement within a compromised environment.

Technical Analysis

Section titled “Technical Analysis”

The vulnerability resides in the application’s handling of External MCP Server configurations. It accepts a JSON payload where a user can specify the command and arguments for an stdio based MCP server. The application then passes these inputs directly into StdioServerParameters without sanitization or an allowlist, leading to direct subprocess execution of user-supplied commands.

Exploitation Flow

Section titled “Exploitation Flow”
  1. An attacker identifies an instance of Agent Zero that accepts external MCP configurations.
  2. The attacker crafts a malicious JSON payload specifying a reverse shell or a command to be executed.
  3. The malicious configuration is submitted to the application.
  4. Agent Zero processes the configuration and spawns the malicious subprocess, triggering the command injection.

Forensic Investigation

Section titled “Forensic Investigation”

When investigating this vulnerability, focus on the following artifacts:

Process Auditing

Analyze process creation logs for unexpected subprocesses spawned by the agent-zero process, specifically shell interpreters (sh, bash, cmd.exe, powershell).

Configuration Analysis

Review the stored configuration files of Agent Zero for suspicious or unauthorized External MCP Server definitions.

Detection

Section titled “Detection”

To detect potential exploitation attempts, implement the following monitoring:

Sigma rule

Section titled “Sigma rule”
title: Potential Command Injection via Agent Zero MCP Configuration
status: experimental
description: Detects suspicious subprocess execution initiated by the Agent Zero application due to insecure MCP configuration.
logsource:
  category: process_creation
detection:
  selection:
    ParentImage|endswith: '/agent-zero'
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/cmd.exe'
      - '/powershell.exe'
  condition: selection

Mitigation

Section titled “Mitigation”

Update Agent Zero to the latest version immediately. If an update is not immediately available, restrict the ability to configure External MCP Servers to trusted users and validate all input configurations against a strict allowlist.

Sources

Section titled “Sources”