marketing-shibata50/claude-code-ultimate-guide
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs(security): update threat-db v2.2.0 — CVE-2026-0755, mcp-run-python SSRF, 5 new scanners

Browse source 
New CVEs:
- CVE-2026-0755 (gemini-mcp-tool, CVSS 9.8, RCE, no fix yet)
- SNYK-PYTHON-MCPRUNPYTHON-15250607 (mcp-run-python SSRF via Deno sandbox)

New entries:
- Attack technique T010: Agent-to-Agent Communication Injection
- 5 new scanning tools: Proximity, Enkrypt AI, Cisco MCP Scanner, NeuralTrust, MCPScan.ai
- 1 new defensive resource: Anthropic Claude Code Security (2026-02-21)
- 4 new sources (Lakera, Penligent AI, Snyk, THN)

Updated security-hardening.md: added CVE-2026-0755 and mcp-run-python SSRF to CVE table

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Florian BRUNIAUX 2026-02-22 16:14:34 +01:00
parent 8a75fd2fd2
commit 92643c1a6b
2 changed files with 118 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

115
examples/commands/resources/threat-db.yaml
View file

@ -2,8 +2,8 @@
# For use with /security-check and /security-audit commands
# Manually maintained — update after new security advisories
version: "2.1.0"
updated: "2026-02-17"
version: "2.2.0"
updated: "2026-02-22"
sources:
- name: "Snyk ToxicSkills"
url: "https://snyk.io/blog/toxicskills-malicious-ai-agent-skills-clawhub/"
@ -65,6 +65,18 @@ sources:
- name: "OWASP Top 10 for Agentic AI Security Risks 2026"
url: "https://www.startupdefense.io/blog/owasp-top-10-agentic-ai-security-risks-2026"
date: "2026-02-16"
- name: "Lakera - The Agent Skill Ecosystem: When AI Extensions Become a Malware Delivery Channel"
url: "https://www.lakera.ai/blog/the-agent-skill-ecosystem-when-ai-extensions-become-a-malware-delivery-channel"
date: "2026-02-20"
- name: "Penligent AI - CVE-2026-0755 gemini-mcp-tool Command Injection"
url: "https://www.penligent.ai/hackinglabs/de/deep-analysis-of-gemini-mcp-tool-command-injection-cve-2026-0755-when-an-mcp-toolchain-hands-user-input-to-the-shell/"
date: "2026-02-07"
- name: "Snyk - SSRF in mcp-run-python (SNYK-PYTHON-MCPRUNPYTHON-15250607)"
url: "https://security.snyk.io/vuln/SNYK-PYTHON-MCPRUNPYTHON-15250607"
date: "2026-02-09"
- name: "The Hacker News - Anthropic Launches Claude Code Security"
url: "https://thehackernews.com/2026/02/anthropic-launches-claude-code-security.html"
date: "2026-02-21"
# ═══════════════════════════════════════════════════════════════
# MALICIOUS AUTHORS (confirmed by security researchers)
@ -712,6 +724,25 @@ cve_database:
fixed_in: "after commit f3419f00117aa9949e326f78cc940166c88f18cb"
mitigation: "Update to latest commit post-f3419f00; avoid passing user-controlled input to exec(); switch to execFile() with argument arrays"
# --- gemini-mcp-tool ---
- id: "CVE-2026-0755"
component: "gemini-mcp-tool"
severity: "critical"
cvss: 9.8
description: "Command injection via LLM-generated arguments passed directly to shell execution primitives without validation; network-reachable RCE via JSON-RPC CallTool requests requiring no authentication and no user interaction"
source: "Penligent AI"
fixed_in: "no fix confirmed at time of research (2026-02-22)"
mitigation: "Replace shell string execution with execFile() and argument arrays; validate all LLM-generated arguments before passing to any exec primitive; do not expose gemini-mcp-tool to untrusted networks"
# --- mcp-run-python ---
- id: "SNYK-PYTHON-MCPRUNPYTHON-15250607"
component: "mcp-run-python"
severity: "high"
description: "SSRF via overly permissive Deno sandbox configuration — sandbox allows localhost interface access, enabling attackers to reach internal network resources through crafted Python code execution requests"
source: "Snyk (2026-02-09)"
fixed_in: "unknown — check upstream for patch"
mitigation: "Restrict Deno sandbox network permissions to block localhost/internal ranges; do not expose mcp-run-python to untrusted inputs or external networks"
# --- MCP Salesforce Connector ---
- id: "CVE-2026-25650"
component: "MCP Salesforce Connector"
@ -1117,6 +1148,16 @@ attack_techniques:
source: "Aikido Security (2026-01-21)"
mitigation: "Verify every package reference in SKILL.md before executing setup instructions; use package lockfiles; pin all dependencies to known-good checksums"
- id: "T010"
name: "Agent-to-Agent Communication Injection"
description: "Attacker injects malicious instructions into communication channels (Slack, email, ticketing systems, code review comments) that AI agents monitor autonomously; agent executes unauthorized actions without cryptographic source verification"
examples:
- "Posting fake urgent security alerts in Slack channels monitored by DevOps AI agents causing unauthorized deployments"
- "Embedding malicious instructions in GitHub issue comments that redirect CI/CD agents to commit backdoored code"
- "Crafting PR review comments that cause coding agents to weaken security controls under the guise of refactoring"
source: "Pillar Security / Cisco AI Security Research (2026)"
mitigation: "Validate agent instruction sources cryptographically; treat all external channel content as untrusted user input; require human-in-the-loop for high-impact actions triggered via monitored channels; scope agent permissions to minimum required for task"
# ═══════════════════════════════════════════════════════════════
# SCANNING TOOLS
# ═══════════════════════════════════════════════════════════════
@ -1215,6 +1256,71 @@ scanning_tools:
- "Newer/community tool — smaller detection database than mcp-scan"
- "Less coverage of skills.sh / ClawHub skill scanning"
- name: "Proximity"
vendor: "community (open-source)"
type: "cli"
url: "https://www.helpnetsecurity.com/2025/10/29/proximity-open-source-mcp-security-scanner/"
capabilities:
- "Open-source MCP security scanner"
- "Identifies prompts, tools, and resources exposed by MCP servers"
- "Evaluates security risks via NOVA rule engine"
- "Detects prompt injection and jailbreak attempts in tool descriptions"
limitations:
- "Early-stage open-source project — smaller detection database than commercial tools"
- "Does not scan SKILL.md or agent config files"
- name: "Enkrypt AI MCP Scanner"
vendor: "Enkrypt AI"
type: "cloud-saas"
url: "https://www.enkryptai.com/mcp-scan"
capabilities:
- "Agentic static analysis for MCP servers"
- "Detects command injection, path traversal, prompt injection, code injection"
- "Identifies LLM-driven exploits and authorization gaps between docs and code"
- "Protocol-level vulnerability detection for MCP JSON-RPC implementation"
limitations:
- "Commercial/SaaS — not open-source"
- "Does not scan SKILL.md or ClawHub skills directly"
- name: "Cisco MCP Scanner"
vendor: "Cisco"
type: "cli"
url: "https://blogs.cisco.com/ai/ciscos-mcp-scanner-introduces-behavioral-code-threat-analysis"
capabilities:
- "Interprocedural dataflow analysis across MCP server functions"
- "Behavioral code threat analysis — compares documented intent vs actual behavior"
- "Detects hidden operations (undocumented network calls, file operations)"
- "Supports black-box (YARA/API scanning) and white-box (source code) analysis"
- "LLM-powered semantic analysis for intent vs behavior mismatch"
limitations:
- "Cisco-maintained — may require Cisco toolchain integration"
- "Does not scan skills.sh / ClawHub ecosystem"
- name: "NeuralTrust MCP Scanner"
vendor: "NeuralTrust"
type: "cloud-saas"
url: "https://neuraltrust.ai/mcp-scanner"
capabilities:
- "Detects poisoned or redefined tools and unsafe endpoint exposures"
- "Analyzes dependencies and integration risks"
- "Policy validation for MCP manifests"
- "Compliance mapping to OWASP, MITRE, and CWE frameworks"
limitations:
- "Commercial/SaaS platform"
- name: "MCPScan.ai"
vendor: "mcpscan.ai"
type: "cloud-saas"
url: "https://mcpscan.ai"
capabilities:
- "Cloud platform with specialized LLM classifiers for poisoning detection"
- "Advanced Tool Metadata Scanner for MCP servers"
- "Detects shell command patterns, code injection, resource exhaustion risks"
- "Private scanning options for enterprise users"
limitations:
- "Cloud-based — requires sending server metadata to external platform"
- "Not open-source"
- name: "Mend SAST MCP"
vendor: "Mend.io"
type: "mcp-server"
@ -1267,3 +1373,8 @@ defensive_resources:
url: "https://www.startupdefense.io/blog/owasp-top-10-agentic-ai-security-risks-2026"
type: "framework"
description: "Community-maintained OWASP-style Top 10 listing for agentic AI systems; covers Agent Goal Hijacking (#1), Supply Chain compromise, Tool Poisoning, Prompt Injection, Memory Poisoning, and more. Updated 2026-02-16."
- name: "Anthropic Claude Code Security"
url: "https://thehackernews.com/2026/02/anthropic-launches-claude-code-security.html"
type: "tool"
description: "Anthropic's AI-powered codebase security scanner with human-reviewed patch suggestions; launched 2026-02-21. Scans for vulnerabilities using Claude as the analysis engine with human oversight before applying fixes."

6
guide/security-hardening.md
View file

@ -63,10 +63,14 @@ This attack exploits the one-time approval model: once you approve an MCP, updat
| **CVE-2026-24052** | High | SSRF via domain validation bypass in WebFetch | Update to v1.0.111+ |
| **CVE-2025-66032** | High | 8 command execution bypasses via blocklist flaws | Update to v1.0.93+ |
| **ADVISORY-CC-2026-001** | High | Sandbox bypass — commands excluded from sandboxing bypass Bash permissions (no CVE assigned) | **Update to v2.1.34+ immediately** |
| **CVE-2026-0755** | **Critical (9.8)** | RCE in gemini-mcp-tool — LLM-generated args passed to shell without validation; no auth, network-reachable | **No fix yet** — avoid using in production or on exposed networks |
| **SNYK-PYTHON-MCPRUNPYTHON-15250607** | High | SSRF in mcp-run-python — Deno sandbox permits localhost access, enabling internal network pivoting | Restrict sandbox network permissions; block localhost range |
**v2.1.34 Security Fix (Feb 2026)**: Claude Code v2.1.34 patched a sandbox bypass vulnerability where commands excluded from sandboxing could bypass Bash permission enforcement. **Upgrade immediately** if running v2.1.33 or earlier. Note: this is separate from CVE-2026-25725 (a different sandbox escape fixed later).
**Source**: [Cymulate EscapeRoute](https://cymulate.com/blog/cve-2025-53109-53110-escaperoute-anthropic/), [Checkpoint MCPoison](https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/), [Cato CurXecute](https://www.catonetworks.com/blog/curxecute-rce/), [SentinelOne CVE-2026-24052](https://www.sentinelone.com/vulnerability-database/cve-2026-24052/), [Flatt Security](https://flatt.tech/research/posts/pwning-claude-code-in-8-different-ways/), Claude Code CHANGELOG
**⚠️ CVE-2026-0755 (Feb 2026 — No Patch)**: Critical RCE in `gemini-mcp-tool` (CVSS 9.8). An attacker can send crafted JSON-RPC `CallTool` requests with malicious arguments that execute arbitrary code on the host machine with full service account privileges. No fix confirmed as of 2026-02-22. Do not expose gemini-mcp-tool to untrusted networks.
**Source**: [Cymulate EscapeRoute](https://cymulate.com/blog/cve-2025-53109-53110-escaperoute-anthropic/), [Checkpoint MCPoison](https://research.checkpoint.com/2025/cursor-vulnerability-mcpoison/), [Cato CurXecute](https://www.catonetworks.com/blog/curxecute-rce/), [SentinelOne CVE-2026-24052](https://www.sentinelone.com/vulnerability-database/cve-2026-24052/), [Flatt Security](https://flatt.tech/research/posts/pwning-claude-code-in-8-different-ways/), [Penligent AI CVE-2026-0755](https://www.penligent.ai/hackinglabs/de/deep-analysis-of-gemini-mcp-tool-command-injection-cve-2026-0755-when-an-mcp-toolchain-hands-user-input-to-the-shell/), Claude Code CHANGELOG
#### Attack Patterns