CVE-2026-5833
MEDIUMawwaiid mcp-server-taskwarrior index.ts server.setRequestHandler command injection
Title source: cnaDescription
A security vulnerability has been detected in awwaiid mcp-server-taskwarrior up to 1.0.1. This impacts the function server.setRequestHandler of the file index.ts. Such manipulation of the argument Identifier leads to command injection. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The name of the patch is 1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2. Applying a patch is advised to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
References (8)
Core 8
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-356289 | awwaiid mcp-server-taskwarrior index.ts server.setRequestHandler command injection
https://vuldb.com/vuln/356289
Signature, Permissions Required signature
permissions-required
VDB-356289 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/356289/cti
Third Party Advisory third-party-advisory
Submit #789810 | awwaiid mcp-server-taskwarrior <=1.0.1 Command Injection
https://vuldb.com/submit/789810
Issue Tracking issue-tracking
https://github.com/awwaiid/mcp-server-taskwarrior/issues/8
Issue Tracking issue-tracking
https://github.com/awwaiid/mcp-server-taskwarrior/issues/8#issuecomment-4139402095
Patch patch
https://github.com/awwaiid/mcp-server-taskwarrior/commit/1ee3d282debfa0a99afeb41d22c4b2fd5a3148f2
Product product
https://github.com/awwaiid/mcp-server-taskwarrior/
Scores
CVSS v3
5.3
EPSS
0.0065
EPSS Percentile
46.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-74
CWE-77
Status
published
Products (3)
awwaiid/mcp-server-taskwarrior
1.0.0
awwaiid/mcp-server-taskwarrior
1.0.1
npm/mcp-server-taskwarrior
0npm
Published
Apr 09, 2026
Tracked Since
Apr 09, 2026