Command Injection Vulnerability in Agions Taskflow-AI Product
CVE-2026-5831

5.3MEDIUM

Key Information:

Vendor

Agions

Status
Taskflow-ai
Vendor
CVE Published:
9 April 2026

What is CVE-2026-5831?

A security flaw has been identified within Agions taskflow-ai affecting versions up to 2.1.8, specifically targeting the file src/mcp/server/handlers.ts in the terminal_execute component. This vulnerability allows for remote command injection through improper handling of inputs, posing significant risks if exploited. The issue has been addressed in version 2.1.9, with a patch (c1550b445b9f24f38c4414e9a545f5f79f23a0fe) provided by the vendor to rectify the vulnerable code. Users are strongly advised to upgrade to the latest version to safeguard their systems.

Affected Version(s)

taskflow-ai 2.1.0

taskflow-ai 2.1.1

taskflow-ai 2.1.2

References

https://vuldb.com/vuln/356278
vdb-entry
https://vuldb.com/vuln/356278/cti
signaturepermissions-required
https://vuldb.com/submit/789515
third-party-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

BruceJin (VulDB User)
VulDB CNA Team
.