CVE-2026-5603 is a Critical command injection in @elgentos/magento2-dev-mcp, but the vulnerability pattern it represents shows up in community MCP servers regularly. This post explains what the vulnerability is, why the sanitizer fails on Windows, how to check your own MCP server code for the same issue, and what the correct fix looks like. What Is CVE-2026-5603? @elgentos/magento2-dev-mcp is an NPM package that exposes Magento 2 development operations as MCP tools: database queries, cache management, module operations, configuration commands. AI coding assistants can call these tools on behalf of developers. The vulnerability: 16 of these tools pass user-supplied parameters into shell commands. A single-quote sanitizer is applied before insertion, but it fails to protect Windows deployments. The result: an attacker who can manipulate an AI agent into calling one of these tools with crafted parameters can execute arbitrary commands on the machine running the server. Affected versions: 1.0.2 and earlier. Patched in PR #5. Why shellQuote Fails on Windows shellQuote uses single-quote escaping designed for Bourne-compatible shells. In bash and sh, everything between single quotes is treated as a literal string. Special characters have no effect. cmd.exe does not use single quotes as quoting characters. They pass through the command line unchanged. Metacharacters like &, |, >, and < retain their command-separator semantics regardless of surrounding single quotes. The server documentation confirms Windows as a supported deployment environment. Magento 2 developers running Docker-based local environments (Warden, DDEV) on Windows are the target population. How to Audit Your Own MCP Server If you maintain or use a community MCP server that wraps shell operations, check for this pattern: Identify any shell execution calls in the server code. For each one, trace where the values fed into the command come from. If any value originates from MCP tool parameters (what the AI agent sends), check whether any sanitization is applied and whether that sanitizer covers all deployment platforms, including Windows. String-escaping libraries designed for Unix shells typically do not protect against Windows cmd.exe. If a user on Windows deploys your server, escaping that worked in your Linux test environment may be silently ineffective on theirs. The fix pattern The correct approach uses execFile (Node.js) or equivalent: import { execFile } from 'child_process'; import { promisify } from 'util'; const execFileAsync = promisify(execFile); // args is an array, not a concatenated string const { stdout } = await execFileAsync('magerun2', [userQuery], options); This works safely on both Linux and Windows. No sanitizer needed because no shell interprets the arguments. How Armor1 Detects This Armor1's MCP server source code scanning performs taint flow analysis: it traces user input from MCP tool parameters through the call graph to execution sinks, and checks whether any sanitizers along the path adequately handle the target environment. When run against magento2-dev-mcp, the scan identified both vulnerable code paths and flagged the sanitizer as inadequate for Windows cmd.exe. The findings were classified as high-severity code execution risks. The scan doesn't depend on CVE databases: it reads the code and evaluates what the code does. This is the difference between reactive and proactive scanning. CVE-based dependency scanning tells you a vulnerability exists after a researcher files an advisory and the databases index it (typically 24-72 hours after disclosure). Source code analysis tells you the pattern exists from the moment it appears in the codebase. Two things you can do right now, both free: 1. See the risk of any MCP server in your environment in Armor1's public catalog 2. Cover your entire agentic stack (every app, MCP, tool, skill, and plugin) by signing up free at app.armor1.ai Remediation Summary Package Affected @elgentos/magento2-dev-mcp Versions <= 1.0.2 Status Patched (PR #5) Action npm update @elgentos/magento2-dev-mcp Verify your version: npm list @elgentos/magento2-dev-mcp For your own MCP servers: replace string-based shell command construction with execFile(command, [userInput]).