CVE-2026-57860
Tailcall · ForgeCode
ForgeCode, an AI pair-programming CLI, is vulnerable to arbitrary code execution because it automatically loads and executes MCP servers defined in untrusted repositories.
Executive summary
ForgeCode is susceptible to arbitrary code execution when processing untrusted repositories, which could lead to a total system compromise.
Vulnerability
The application suffers from CWE-829, where it includes functionality from an untrusted control sphere. Specifically, the CLI automatically loads and executes MCP servers defined in a repository, which can be manipulated by an attacker to execute arbitrary code with the user's privileges.
Business impact
Successful exploitation allows an attacker to execute arbitrary code on the host machine, leading to full system compromise. With a CVSS score of 7.8, this vulnerability poses a severe threat to developer workstations and CI/CD environments. The ability for an attacker to gain control over the local environment can lead to the exfiltration of sensitive credentials, source code, or internal network access.
Remediation
Immediate Action: Exercise extreme caution when using ForgeCode with untrusted repositories and verify the contents of repository configuration files before execution.
Proactive Monitoring: Monitor developer workstation processes for unexpected child processes or unusual network connections initiated by the ForgeCode CLI.
Compensating Controls: Restrict developer environments by using isolated containers or virtual machines to limit the potential blast radius of code execution vulnerabilities.
Exploitation status
Public Exploit Available: No (exploit_available: unknown)
Analyst recommendation
Users of ForgeCode must remain vigilant against loading untrusted repositories until an official security patch is released by the vendor. Developers should prioritize isolating their environments and reviewing repository configurations to mitigate the risk of arbitrary code execution.