Remote Code Execution Vulnerability in Agent Zero from OX Security
CVE-2026-30624

8.6HIGH

Key Information:

Vendor: OX Security
Status: Agent Zero
Vendor: CVE Published:; 15 April 2026

🔔 Create OX Security Vulnerability Alert

What is CVE-2026-30624?

The Remote Code Execution vulnerability present in Agent Zero version 0.9.8 arises from improper handling of user-defined MCP server configurations. By allowing users to provide arbitrary commands and arguments through a JSON configuration without adequate validation, an attacker could craft a malicious MCP configuration. This would enable the execution of unintended operating system commands, jeopardizing the security and integrity of systems running the application. It highlights the necessity for robust input validation and stricter configuration management in software applications.

References

https://www.ox.security/blog/mcp-supply-chain-advisory-rc...

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-30624 Data

JSON