CVE-2026-25546

Name of the Vulnerable Software and Affected Versions Godot MCP versions prior to 0.1.1

Description Godot MCP is a Model Context Protocol (MCP) server for interacting with the Godot game engine. A command injection issue in godot-mcp allows remote code execution. The executeOperation() function passes user-controlled input, such as projectPath, directly to exec(), which spawns a shell. An attacker could inject shell metacharacters like $(command) or &calc to execute arbitrary commands with the privileges of the MCP server process. This affects tools that accept projectPath, including create scene, add node, and load sprite.

Recommendations Update to Godot MCP version 0.1.1 or later.