By Correctover Security Research Team
Responsible disclosure — reported and acknowledged
TL;DR
During our automated security scan of microsoft/autogen, we discovered a CRITICAL vulnerability (CVSS 9.8) in C:\d\workspace\repos\microsoft_autogen\python\check_md_code_blocks.py:61. subprocess/shell=True found �� MCP STDIO command execution
The Discovery
We run Correctover CCS — an automated code security scanner — against microsoft/autogen. The scanner flagged C:\d\workspace\repos\microsoft_autogen\python\check_md_code_blocks.py:61 as a potential CRITICAL vulnerability. After manual verification, we confirmed the issue is exploitable.
Technical Details
Vulnerability: MCP-STDIO-001
Affected Component: C:\d\workspace\repos\microsoft_autogen\python\check_md_code_blocks.py:61
Description:
subprocess/shell=True found �� MCP STDIO command execution
Proof of Concept
# PoC not generated
Attack Chain
- Attacker sends crafted input to the vulnerable function at
C:\d\workspace\repos\microsoft_autogen\python\check_md_code_blocks.py:61 - The input bypasses existing sanitization due to MCP-STDIO-001
- This leads to critical impact including potential RCE/data exfiltration
- Full exploitation demonstrated in our PoC above
Impact
This critical vulnerability (CVSS 9.8) could allow an attacker to compromise the affected system. We recommend applying the vendor's patch immediately.
Timeline
- Discovery: 2026-07-14
- Disclosure: 2026-07-14
- Fix: Pending — disclosed to vendor
How We Found It
We use Correctover CCS — an automated code security scanner that detects dangerous patterns in AI/LLM frameworks. It runs 24 detection rules including CRITICAL patterns like exec() injection, pickle deserialization, and MCP command injection.
Want to audit your own codebase? Try pip install correctover and run correctover-ccs scan .
Top comments (0)