CVE-2026-26029

Name of the Vulnerable Software and Affected Versions sf-mcp-server (affected versions not specified)

Description A command injection issue exists in sf-mcp-server, an implementation of Salesforce MCP server for Claude for Desktop. The issue is due to the unsafe use of the child process.exec function when building Salesforce CLI commands with input controlled by the user. Successful exploitation could allow attackers to execute arbitrary shell commands with the privileges of the MCP server process.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.