CVE-2026-10279
Description
Command injection in wezterm-mcp allows remote attackers to execute arbitrary commands by manipulating the pane_id argument.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in wezterm-mcp allows remote attackers to execute arbitrary commands by manipulating the pane_id argument.
Vulnerability
A command injection vulnerability exists in hiraishikentaro wezterm-mcp version 0.1.0. The switch_pane and write_to_specific_pane tools accept a pane_id argument which is directly incorporated into shell command strings executed via child_process.exec. The runtime handler does not enforce the expected numeric type for pane_id or safely pass arguments, allowing shell metacharacters to be injected.
Exploitation
An attacker can exploit this vulnerability by sending a crafted JSON-RPC request to the MCP server. This request must contain shell metacharacters within the pane_id parameter. The attack can be initiated remotely, provided the attacker can reach the MCP server process and the host has wezterm or a compatible shell environment available.
Impact
Successful exploitation allows an attacker to execute arbitrary operating system commands with the privileges of the MCP server process. This could lead to a full compromise of the server host, depending on the permissions of the running process.
Mitigation
Version 0.1.0 is confirmed to be affected. A fixed version is not yet available, and the project has not responded to the vulnerability report as of the time of disclosure [1]. No workarounds are currently disclosed.
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =0.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `pane_id` argument is not properly validated and is directly interpolated into OS command strings."
Attack vector
An attacker can initiate a remote attack by sending a crafted JSON-RPC request to the MCP server. This request manipulates the `pane_id` argument with shell metacharacters. The MCP server then executes this argument within a shell command via `child_process.exec`, leading to arbitrary command execution with the privileges of the MCP server process [ref_id=1]. The attack requires the attacker to be able to invoke the MCP server tool handler directly or through a client that does not enforce numeric schemas [ref_id=1].
Affected code
The vulnerability resides in the `src/wezterm_executor.ts` file, specifically within the `switch_pane` and `write_to_specific_pane` functions. These functions use `child_process.exec` to execute commands, passing the `pane_id` argument directly into the command string without proper sanitization or validation [ref_id=1].
What the fix does
The advisory recommends enforcing runtime type validation for `pane_id` to reject non-integer values. It also suggests replacing `child_process.exec` with `execFile` or `spawn` and passing arguments as an array to prevent shell interpolation. Additionally, avoiding shell interpolation for all attacker-controlled values and adding regression tests with shell metacharacters are recommended [ref_id=1]. A patch is not available at the time of the report.
Preconditions
- inputThe `pane_id` argument can be manipulated with shell metacharacters.
- networkThe attack can be initiated remotely.
- authThe attacker can invoke the MCP server tool handler directly or through a client that does not enforce the numeric schema.
- configThe host has wezterm or the relevant shell command environment available, and the MCP server process has permission to execute local commands.
Reproduction
{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"switch_pane","arguments":{"pane_id":"1; echo WEZTERM_MCP_TEST > wezterm-mcp-poc.txt"}}}
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.