Jul 8, 2026·5 min read·6 visits
Serena's unauthenticated Flask API on local port 24282 is vulnerable to DNS Rebinding. Remote attackers can leverage malicious web pages to bypass the browser Same-Origin Policy, poison the AI agent's memory, and trigger arbitrary command execution on the developer's workstation.
CVE-2026-49471 is a high-severity security vulnerability in Serena, an AI-assisted coding Model Context Protocol (MCP) toolkit. In versions prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a predictable port. Lacking host validation and CSRF protections, this endpoint is vulnerable to DNS Rebinding. An attacker can lure a user to a malicious webpage, bypass the Same-Origin Policy (SOP), rewrite the AI agent's persistent memory, and execute arbitrary commands on the host operating system via the autonomous agent's shell execution engine.
Serena is an AI-assisted coding Model Context Protocol (MCP) toolkit providing semantic retrieval, indexing, and direct workspace editing capabilities. To provide interactive diagnostics to developers, Serena initializes a local Flask-based web application hosting its workspace dashboard on a predictable TCP port (24282).
This dashboard exposes administrative APIs that allow direct read and write access to the tool's underlying data stores, memory, and task configurations. In vulnerable versions, this Flask dashboard contains no authentication mechanism, session tokens, or cross-origin request restrictions, which presents an extensive unauthenticated local attack surface.
While the application is typically bound to the loopback interface, standard browser security protections such as the Same-Origin Policy (SOP) are insufficient to protect the local endpoints. By leveraging DNS Rebinding, external web origins can communicate directly with the local server to execute administrative functions.
The root cause of this vulnerability lies in a critical combination of insecure defaults: binding to a predictable hardcoded port, missing API-level authentication, and an absence of HTTP Host header validation.
Serena configures its local Flask application to bind to port 24282, which is hardcoded as hexadecimal value 0x5EDA within the configuration file constants.py. Because the endpoint is predictable, attackers can construct cross-origin web requests targeting this exact port without requiring prior network reconnaissance. Crucially, the endpoints do not validate the HTTP Host header of incoming requests.
In a DNS Rebinding attack, an attacker-controlled external domain has its DNS Time-To-Live (TTL) set to a low value. The victim's browser loads a malicious page from this domain, caches the initial resolution, and then re-queries the domain after the TTL expires. The attacker's DNS server then resolves the domain to 127.0.0.1. The browser, treating this as the same origin, issues asynchronous POST requests to the local Serena service. Because the application processes requests containing arbitrary Host headers, the browser's Same-Origin Policy is bypassed, allowing state manipulation on the local application.
The vulnerability exists because Serena did not check the routing details of the request headers before processing endpoints. In versions prior to v1.5.2, any HTTP request hitting the dashboard was authorized automatically.
The remediation, committed in hash 016ccbe1c095a3eed7967737ac1d4df2754f5d96 inside src/serena/dashboard.py, introduces a pre-request filtering mechanism using Flask's before_request hook:
# Verify host and port on each request to prevent DNS-rebinding-based attacks
@self._app.before_request
def check_host() -> None:
allowed = {f"127.0.0.1:{port}", f"localhost:{port}"}
if request.host not in allowed:
abort(403)This filter asserts that the request.host attribute strictly matches either 127.0.0.1 or localhost bound to the active port. If an external browser script makes a request using a rebound domain name, the Host header (e.g., rebound.attacker.com:24282) will fail this set-membership validation, and the application will abort the request with an HTTP 403 Forbidden status.
To successfully exploit the vulnerability, the attacker must host a DNS rebinding service and convince a developer running Serena to visit a malicious website.
The malicious script issues an asynchronous POST request to /api/memory containing payload data targeting Serena's persistent memory. Once the persistent memory store is poisoned, Serena's autonomous agent reads the modified instruction list during its next iteration loop. The agent, attempting to fulfill the injected task, invokes its integrated execute_shell_command module. This tool utilizes Python's subprocess engine with shell=True, executing the raw string payload and resulting in full remote code execution.
An exploitation of CVE-2026-49471 leads to complete compromise of the developer's workstation. Because the shell commands run with the context of the user running Serena, the attacker gains access to SSH keys, local source code repositories, application credentials, and cloud service configuration files.
The CVSS v3.1 score is evaluated at 8.3 (High). The score reflects high impacts on confidentiality, integrity, and availability, combined with a Scope change (S:C) since execution escapes the browser sandbox to influence the underlying operating system. The rating is limited only by the high complexity of configuring the DNS rebinding infrastructure and the requirement for user interaction.
As development environments are highly valued targets for supply-chain pivot attacks, compromising an active developer's machine using this method provides a potential gateway to enterprise build pipelines and internal source control platforms.
The standard remediation is upgrading the Serena tool suite to version v1.5.2 or later, which enforces Host header validation on the web server routing engine.
Despite the implemented fix, minor security considerations remain. The validation set does not explicitly account for IPv6 loopback bindings (e.g., [::1]:{port}). In environment configurations where Serena binds to dual-stack interfaces, variations in browser routing might still expose endpoints if loopback resolving exhibits non-standard behavior.
Furthermore, because the local API still lacks CSRF tokens or authentication secrets, any Cross-Site Scripting (XSS) vulnerability found in another application running on localhost (such as a local development server on port 3000) could still be leveraged to perform requests to Serena, as those requests would carry a valid localhost:24282 Host header.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
serena oraios | < 1.5.2 | v1.5.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-306 / CWE-352 |
| Attack Vector | Network (with User Interaction) |
| CVSS v3.1 Score | 8.3 (High) |
| EPSS Score | 0.00237 (Percentile: 14.61%) |
| Exploit Status | Proof of Concept (PoC) available |
| Impact | Unauthenticated Remote Code Execution (RCE) |
| KEV Status | Not Listed |
The product does not perform any authentication for a functionality that requires a security defense or identity check.
Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.
The trapster honeypot package is vulnerable to a remote denial of service (DoS) vulnerability due to uncontrolled recursion during the parsing of malformed DNS compression pointers in the decode_labels function.
A critical Use-After-Free (UAF) memory corruption vulnerability exists in the oneringbuf Rust crate prior to version 0.8.0. The vulnerability allows safe Rust code to instantiate and clone reference wrappers that point to heap-allocated ring buffers. Dropping one wrapper prematurely reclaims the backing memory, leading to dangling pointer references and subsequent Use-After-Free or Double Free states.
Januscape (CVE-2026-53359) is a critical Use-After-Free vulnerability in the x86 Shadow MMU component of the Linux Kernel's KVM subsystem. A logic error in shadow page tracking permits unauthorized page reuse without validating architectural execution roles, leading to dangling pointers in reverse mapping (rmap) tracking entries during guest memory teardown.
CVE-2026-48282 is a critical unauthenticated path traversal and arbitrary file write vulnerability in the Remote Development Services (RDS) component of Adobe ColdFusion. The vulnerability allows a remote, unauthenticated attacker to bypass directory boundaries and write arbitrary files, including CFML-based web shells, onto the host server. This flaw is actively exploited in the wild and enables full unauthenticated remote code execution under the privileges of the ColdFusion service account.
An information disclosure vulnerability exists in the web-auth/webauthn-lib PHP library when using the default SimpleFakeCredentialGenerator without a configured secret. This allows unauthenticated remote attackers to determine if a username exists on the target application.