CVE-2026-7591 | TimBroddin astro-mcp-server up to 1.1.1 MCP Tool Query Construction src/index.ts request.params.arguments sql injection (EUVD-2026-26709)
A vulnerability, which was classified as critical, has been found in TimBroddin astro-mcp-server up to 1.1.1. The impacted element is an unknown function of the file src/index.ts of the component MCP Tool Query Construction. Performing a manipulation of the argument request.params.arguments results in sql injection.
This vulnerability was named CVE-2026-7591. The attack may be initiated remotely. In addition, an exploit is available.
The project was informed of the problem early through an issue report but has not responded yet.