CVE-2026-7785 Overview
CVE-2026-7785 is an operating system command injection vulnerability in the A-G-U-P-T-A wireshark-mcp project. The flaw resides in the quick_capture function within pyshark_mcp.py. Attackers can manipulate input passed to this function to inject arbitrary operating system commands. The attack is exploitable remotely and requires no authentication or user interaction. The exploit code has been disclosed publicly, increasing the risk of opportunistic abuse. Because the project follows a rolling release model, no fixed version identifiers exist for affected or patched commits beyond the referenced commit hashes edaf604416fbc94a201b4043092d4a1b09a12275 and 400c3da70074f22f3cce7ccb65304cafc7089c89. The maintainer was notified through a public issue but has not responded.
Critical Impact
Remote, unauthenticated attackers can inject operating system commands via the quick_capture function, leading to arbitrary command execution in the context of the wireshark-mcp service.
Affected Products
- A-G-U-P-T-A wireshark-mcp (rolling release)
- Commit edaf604416fbc94a201b4043092d4a1b09a12275
- Commit 400c3da70074f22f3cce7ccb65304cafc7089c89
Discovery Timeline
- 2026-05-05 - CVE-2026-7785 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7785
Vulnerability Analysis
The vulnerability is classified as OS command injection [CWE-77]. It affects the quick_capture function defined in pyshark_mcp.py, a component of the wireshark-mcp project that wraps packet capture functionality and exposes it through a Model Context Protocol (MCP) server.
The quick_capture function accepts caller-supplied parameters that are incorporated into a shell command without sufficient sanitization or argument separation. When the constructed command is executed, an attacker-controlled value can break out of the intended argument boundary and append additional shell commands. Because MCP servers are commonly invoked by AI assistants and automation tooling, malicious values can flow from prompts, configuration files, or remote MCP clients into the vulnerable function.
The EPSS score is 1.039% with a percentile of 77.533, indicating elevated relative likelihood of exploitation attempts compared with the broader CVE population. Public availability of the exploit further raises operational risk.
Root Cause
The root cause is improper neutralization of special elements used in an OS command. User-controlled input passed to quick_capture is concatenated into a shell invocation rather than passed as a discrete argument list to a safe execution API such as subprocess.run([...], shell=False).
Attack Vector
The attack vector is network-based. An attacker capable of sending requests to the MCP interface, or influencing inputs that flow into quick_capture, can supply payloads containing shell metacharacters such as ;, &&, |, or backticks. The injected payload executes with the privileges of the process hosting the MCP server.
For technical specifics, see the GitHub PoC Repository, the GitHub Issue Discussion, and the VulDB Vulnerability Details.
Detection Methods for CVE-2026-7785
Indicators of Compromise
- Unexpected child processes spawned by the Python interpreter running pyshark_mcp.py, particularly shells such as /bin/sh, /bin/bash, or cmd.exe.
- Outbound network connections from the MCP host to unfamiliar destinations following capture requests.
- MCP request payloads containing shell metacharacters (;, |, &&, `, $() inside arguments destined for quick_capture.
Detection Strategies
- Inspect MCP request logs for arguments to quick_capture that contain shell metacharacters or chained commands.
- Apply process-tree monitoring to flag any shell descendants of the pyshark_mcp.py process.
- Correlate tshark/dumpcap invocations with subsequent execution of unrelated binaries from the same parent.
Monitoring Recommendations
- Enable command-line auditing (auditd execve on Linux, Sysmon Event ID 1 on Windows) on hosts running wireshark-mcp.
- Forward host telemetry to a centralized analytics platform and alert on anomalous child processes of the MCP service.
- Monitor egress traffic from MCP hosts for connections that do not match the expected packet-capture workflow.
How to Mitigate CVE-2026-7785
Immediate Actions Required
- Restrict network exposure of any wireshark-mcp instance so that only trusted local clients can reach the MCP endpoint.
- Run the MCP service under a dedicated low-privileged account and within a container or sandbox.
- Treat any inputs reaching quick_capture as untrusted, including those originating from AI assistants and shared configuration files.
Patch Information
No vendor patch is available. The project operates on a rolling release basis, and the maintainer has not yet responded to the public issue report. Track the GitHub Issue Discussion for updates.
Workarounds
- Replace shell-based invocation in quick_capture with a parameterized call such as subprocess.run([...], shell=False) if maintaining a local fork.
- Validate capture-related arguments against an allowlist of interface names and filter expressions before passing them to capture utilities.
- Disable or remove the quick_capture tool registration from the MCP server until a fix is published.
# Configuration example - run wireshark-mcp under a constrained user and bind to localhost only
useradd --system --shell /usr/sbin/nologin mcpsvc
sudo -u mcpsvc python3 pyshark_mcp.py --host 127.0.0.1 --port 8765
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
