Context7 MCP Server Custom Rules instruction injection security flaw
Vulnerability
Summary
Hide ▲
Show ▼
The Context7 MCP Server ContextCrush flaw let attackers inject malicious instructions through the Custom Rules documentation channel, putting AI coding assistants at risk. Because the server feeds tools like Cursor, Claude Code, and Windsurf, the issue could let attackers influence workflows on a developer's machine. Upstash remediated the problem after disclosure, and researchers said there is no evidence of real-world exploitation.
Timeline
-
05.03.2026 16:00 2 articles · 2mo ago
ContextCrush disclosure in Upstash's Context7 MCP Server
Initial DisclosureResearchers disclosed ContextCrush in Upstash's Context7 MCP Server, a tool used to deliver documentation to AI coding assistants such as Cursor, Claude Code and Windsurf. The flaw let malicious instructions in the Custom Rules feature pass through a trusted documentation channel without filtering or sanitization, and researchers said there was no evidence of real-world exploitation.
Show sources
- ContextCrush Flaw Exposes AI Development Tools to Attacks — www.infosecurity-magazine.com — 05.03.2026 16:00
- ContextCrush Flaw Exposes AI Development Tools to Attacks — www.infosecurity-magazine.com — 05.03.2026 16:00
-
05.03.2026 16:00 1 articles · 2mo ago
Upstash begins remediation after ContextCrush disclosure
Mitigation Patch UpdateUpstash began remediation for ContextCrush the day after the disclosure, starting work on the Context7 MCP Server after researchers identified that malicious Custom Rules content could be delivered through the trusted documentation channel. The response marked the first mitigation step against the instruction-injection path.
Show sources
- ContextCrush Flaw Exposes AI Development Tools to Attacks — www.infosecurity-magazine.com — 05.03.2026 16:00
-
05.03.2026 16:00 1 articles · 2mo ago
Upstash deploys ContextCrush fix with rule sanitisation
Mitigation Patch UpdateUpstash deployed a fix for the Context7 MCP Server on February 23, adding rule sanitisation and additional safeguards to the Custom Rules feature. The patch addressed the instruction-injection path that could let poisoned library entries influence AI coding assistants inside developer environments.
Show sources
- ContextCrush Flaw Exposes AI Development Tools to Attacks — www.infosecurity-magazine.com — 05.03.2026 16:00