Overview
Remote code execution vulnerability in the GitHub Kanban MCP server. Allows arbitrary command execution through the MCP tool interface.
Who Is Affected
Reported by SentinelOne. Affects users of the GitHub Kanban MCP server, which provides GitHub project board management through MCP-enabled AI agents.
Where It Exists
The vulnerability is in the GitHub Kanban MCP server's tool implementation, where user-supplied input reaches shell execution without adequate sanitization.
When It Was Found
Disclosed January 2026 by SentinelOne.
How It Works
An attacker provides crafted input through the MCP tool parameters that contains shell metacharacters or injection payloads. The server passes this input to a shell command without sanitization, resulting in arbitrary command execution. The attack can be triggered via prompt injection in GitHub issue titles, descriptions, or labels that the agent processes.
Impact
Remote code execution on the server host. Attackers can access GitHub tokens stored by the server, compromise the developer's GitHub account, access source code repositories, and pivot to CI/CD infrastructure. The GitHub token typically has broad repository access, amplifying the blast radius.
Mitigation
Avoid using this server until a patched version is available. If required, restrict it to read-only GitHub operations. Use execFile with argument arrays instead of shell string interpolation. Apply the principle of least privilege to GitHub tokens -- use fine-grained personal access tokens with minimal scopes.