MEDIUM 6.3

CVE-2026-10279: OS Command Injection in wezterm-mcp 0.1.0

A remote command injection vulnerability exists in wezterm-mcp version 0.1.0, a WezTerm terminal multiplexer control plane component. An authenticated attacker can manipulate the pane_id parameter in requests to the switch_pane/write_to_specific_pane function to inject arbitrary operating system commands. The vulnerability requires valid credentials to exploit but poses a meaningful risk in environments where WezTerm MCP is exposed to untrusted users or networked clients.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-77, CWE-78
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A vulnerability was identified in hiraishikentaro wezterm-mcp 0.1.0. The affected element is an unknown function of the file src/wezterm_executor.ts of the component switch_pane/write_to_specific_pane. The manipulation of the argument request.params.arguments.pane_id leads to os command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10279 is an OS command injection flaw in the wezterm-mcp switch_pane/write_to_specific_pane handler. The vulnerability resides in src/wezterm_executor.ts where the request.params.arguments.pane_id parameter is processed without proper sanitization before being passed to system command execution. This allows an authenticated attacker to break out of intended command boundaries and execute arbitrary shell commands with the privileges of the WezTerm process. The attack vector is network-based (CVSS AV:N) and requires authentication (PR:L), though the impact scope is confined to the compromised system. Relevant CWEs include CWE-77 (Improper Neutralization of Special Elements) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

Business impact

Compromise of a WezTerm MCP instance grants an authenticated attacker shell-level access to the host system, potentially leading to data exfiltration, lateral movement, or disruption of terminal-based infrastructure automation. Organizations using WezTerm MCP as a centralized terminal management or scripting backend face elevated risk, especially in DevOps or systems administration workflows. The publicly available exploit means opportunistic attackers can quickly move from awareness to active exploitation if internal systems are exposed.

Affected systems

The vulnerability affects wezterm-mcp version 0.1.0 specifically. This is an early version of a community-developed control plane component for WezTerm, suggesting limited production deployment at scale. However, any organization using version 0.1.0—whether directly or as a dependency in custom tooling—should inventory affected instances. The maintainer (hiraishikentaro) has not yet released a patch or public response as of the publication date.

Exploitability

The exploit is publicly available and can be initiated remotely by any authenticated user. Exploitation requires valid credentials, which moderates the immediate risk for air-gapped or properly access-controlled systems but increases concern for internet-facing or multi-user environments. The simplicity of the command injection vector (direct parameter manipulation) suggests low technical barrier once credentials are obtained.

Remediation

Upgrade to a patched version once released by the wezterm-mcp maintainer—verify the specific version number against the project's releases or security advisory. Pending a patch, restrict network access to WezTerm MCP endpoints via firewall rules or VPN segmentation, limit user authentication to trusted identities, and consider disabling the switch_pane/write_to_specific_pane functionality if operationally feasible. Implement input validation and command escaping at the application layer as a temporary hardening measure if code audit is possible.

Patch guidance

Monitor the wezterm-mcp GitHub repository for security releases. When a patch is available, apply it immediately to all running instances. Given the early version number (0.1.0), anticipate that a patch may involve a minor or patch-level version bump. Test patches in a non-production environment before rollout to ensure compatibility with existing WezTerm configurations. If no patch is released within a reasonable timeframe, consider migrating to an alternative terminal multiplexer control solution or forking the project to apply a local fix.

Detection guidance

Monitor logs from WezTerm MCP for unusual pane_id values in switch_pane/write_to_specific_pane requests—especially those containing shell metacharacters (pipes, semicolons, backticks, command substitution syntax). Network intrusion detection systems (IDS) should flag requests with encoded or obfuscated command syntax targeting this endpoint. Audit process execution logs on systems running WezTerm MCP for unexpected child processes spawned by the WezTerm service, particularly those initiated by non-privileged authenticated sessions.

Why prioritize this

Although CVSS scores this as MEDIUM severity, the combination of a publicly available exploit, network accessibility, and shell-level impact justifies prompt attention for any organization running wezterm-mcp. The lack of vendor response at publication further elevates urgency. Prioritize based on internal exposure: internet-facing or multi-tenant deployments warrant immediate remediation; air-gapped or single-user lab instances can follow standard patching cadence pending vendor guidance.

Risk score, explained

The CVSS 3.1 score of 6.3 (MEDIUM) reflects the requirement for authentication (PR:L), which reduces exploitability in restricted environments. Network accessibility and the local scope of impact (S:U) prevent a higher rating. However, the public availability of working exploits, simplicity of the injection vector, and potential for post-exploitation privilege escalation may justify treating this as HIGH priority within your risk model, especially if WezTerm MCP is Internet-exposed or handles sensitive administrative workflows.

Frequently asked questions

Who is at risk from this vulnerability?

Any organization running wezterm-mcp version 0.1.0, particularly those deploying it in networked, multi-user, or DevOps automation contexts. Single-user local instances present lower risk unless the system itself is already compromised or exposed to untrusted network segments.

Does this affect the main WezTerm terminal emulator?

No. This vulnerability is specific to wezterm-mcp, a community-developed control plane component. The core WezTerm terminal emulator is a separate project and is not directly affected. However, confirm your deployment topology to determine if you are using both tools.

What should I do if I cannot patch immediately?

Restrict network access to WezTerm MCP endpoints via firewall or network segmentation, limit authenticated users to a minimal trusted set, and monitor logs closely for exploitation attempts. Consider temporarily disabling the affected functionality if operationally feasible until a patch is available.

Is there a public exploit proof-of-concept?

Yes, public exploits are available, which accelerates the timeline for active exploitation. Do not rely solely on obscurity; implement access controls and monitoring as outlined above.

This analysis is based on available information as of the publication date. Patch availability, vendor response status, and affected product deployments may change. Always verify current information against the official vendor advisory and your own system inventory before taking remediation action. SEC.co does not provide exploit code or weaponized proof-of-concept details. Consult your security team, vulnerability management process, and vendor communications for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).