GHSA-vrxg-gm77-7q5g: Unauthenticated Remote Code Execution in Windows-MCP HTTP Transport
Vulnerability ID: GHSA-VRXG-GM77-7Q5G
CVSS Score: 8.7
Published: 2026-05-21
Windows-MCP versions prior to 0.7.5 expose an unauthenticated HTTP transport endpoint with a wildcard CORS policy. This allows remote attackers or malicious websites to execute arbitrary PowerShell commands on the host machine by interacting with the local MCP server.
TL;DR
A critical vulnerability in the Windows-MCP server allows unauthenticated attackers to achieve remote code execution. The flaw arises from a combination of a wildcard CORS policy, missing authentication on the HTTP transport endpoint, and the exposure of a privileged PowerShell execution tool.
⚠️ Exploit Status: POC
Technical Details
- Advisory ID: GHSA-vrxg-gm77-7q5g
- CWE ID: CWE-306, CWE-942, CWE-94
- Attack Vector: Network
- CVSS v4.0 Base Score: 8.7 (High)
- Impact: Unauthenticated Remote Code Execution
- Exploit Status: Proof-of-Concept Available
Affected Systems
- Windows-MCP (PyPI: windows-mcp)
- Systems executing windows-mcp via HTTP transport
-
windows-mcp: < 0.7.5 (Fixed in:
0.7.5)
Mitigation Strategies
- Update windows-mcp to version 0.7.5 or newer.
- Utilize the default
stdiotransport mode instead of HTTP transport when possible. - Configure
--auth-keyto require token authentication for HTTP endpoints. - Configure
--cors-originsto explicitly list trusted domains and disable wildcard access.
Remediation Steps:
- Identify all hosts running Windows-MCP.
- Upgrade the Python package using
pip install --upgrade windows-mcp>=0.7.5. - Review startup scripts and services executing Windows-MCP.
- If HTTP transport is required, append the
--auth-keyand--cors-originsarguments with secure, environment-specific values. - Restart the Windows-MCP service to apply the configuration changes.
References
Read the full report for GHSA-VRXG-GM77-7Q5G on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)