CVE-2026-26029
📋 TL;DR
CVE-2026-26029 is a command injection vulnerability in sf-mcp-server that allows attackers to execute arbitrary shell commands by injecting malicious input into Salesforce CLI commands. This affects users of Claude for Desktop with the sf-mcp-server integration. Successful exploitation gives attackers the same privileges as the MCP server process.
💻 Affected Systems
- sf-mcp-server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the host system with privilege escalation to root/admin, allowing data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Unauthorized access to Salesforce data, credential theft, and lateral movement within the network from the compromised host.
If Mitigated
Limited impact if server runs with minimal privileges and network segmentation prevents lateral movement.
🎯 Exploit Status
Exploitation requires access to the MCP server interface, which typically requires some level of access to the Claude for Desktop application.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 99fba0171b8c22b5ee3c0405053ccfd2910a066d or later
Vendor Advisory: https://github.com/akutishevsky/sf-mcp-server/security/advisories/GHSA-h4w9-g9c5-vfwq
Restart Required: Yes
Instructions:
1. Update sf-mcp-server to latest version. 2. Restart Claude for Desktop. 3. Verify the fix by checking the commit hash matches or exceeds 99fba0171b8c22b5ee3c0405053ccfd2910a066d.
🔧 Temporary Workarounds
Disable sf-mcp-server
allTemporarily disable the vulnerable component until patching is possible
Remove or disable sf-mcp-server integration from Claude for Desktop settings
Run with minimal privileges
allRun Claude for Desktop with non-administrative user account
🧯 If You Can't Patch
- Isolate the system running Claude for Desktop from sensitive networks and data
- Implement strict network segmentation and monitor for unusual process execution
🔍 How to Verify
Check if Vulnerable:
Check if sf-mcp-server is installed and if the commit hash is earlier than 99fba0171b8c22b5ee3c0405053ccfd2910a066dCheck Version:
Check the sf-mcp-server directory for .git folder and run: git log --oneline -1Verify Fix Applied:
Verify the installed sf-mcp-server commit hash is 99fba0171b8c22b5ee3c0405053ccfd2910a066d or later📡 Detection & Monitoring
Log Indicators:
- Unusual child process spawns from Claude for Desktop
- Salesforce CLI commands with unexpected arguments or shell metacharacters
Network Indicators:
- Unexpected outbound connections from Claude for Desktop process
- Command and control traffic from the host
SIEM Query:
Process creation where parent process contains 'claude' or 'sf-mcp' and command line contains shell metacharacters like ;, &, |, $, (, ), {, }