CVE-2026-30624 - Vulnerability Analysis
HighCVSS: 8.6Last Updated: April 15, 2026
Agent Zero - Remote Code Execution
Published: April 15, 2026Updated: April 15, 2026Remote Exploitable
Overview
Agent Zero 0.9.8 contains a remote code execution caused by insufficient validation of arbitrary command and args in External MCP Servers JSON configuration, letting attackers execute OS commands remotely, exploit requires malicious MCP configuration.
Severity & Score
Severity: High
CVSS Score: 8.6
Impact
Attackers can execute arbitrary OS commands remotely with Agent Zero process privileges, potentially compromising the system.
Mitigation
Update to the latest version that fixes this vulnerability.
References
Related Resources
Details
- CVE ID
- CVE-2026-30624
- Severity
- High
- CVSS Score
- 8.6
- Type
- command_injection
- Status
- new
CWE
- CWE-77
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H