CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-49471

CVE-2026-49471: Unauthenticated Remote Code Execution in Serena MCP Toolkit via DNS Rebinding and Memory Poisoning

Alon Barad
Alon Barad
Software Engineer

Jul 8, 2026·5 min read·6 visits

Executive Summary (TL;DR)

Serena's unauthenticated Flask API on local port 24282 is vulnerable to DNS Rebinding. Remote attackers can leverage malicious web pages to bypass the browser Same-Origin Policy, poison the AI agent's memory, and trigger arbitrary command execution on the developer's workstation.

CVE-2026-49471 is a high-severity security vulnerability in Serena, an AI-assisted coding Model Context Protocol (MCP) toolkit. In versions prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a predictable port. Lacking host validation and CSRF protections, this endpoint is vulnerable to DNS Rebinding. An attacker can lure a user to a malicious webpage, bypass the Same-Origin Policy (SOP), rewrite the AI agent's persistent memory, and execute arbitrary commands on the host operating system via the autonomous agent's shell execution engine.

Vulnerability Overview

Serena is an AI-assisted coding Model Context Protocol (MCP) toolkit providing semantic retrieval, indexing, and direct workspace editing capabilities. To provide interactive diagnostics to developers, Serena initializes a local Flask-based web application hosting its workspace dashboard on a predictable TCP port (24282).

This dashboard exposes administrative APIs that allow direct read and write access to the tool's underlying data stores, memory, and task configurations. In vulnerable versions, this Flask dashboard contains no authentication mechanism, session tokens, or cross-origin request restrictions, which presents an extensive unauthenticated local attack surface.

While the application is typically bound to the loopback interface, standard browser security protections such as the Same-Origin Policy (SOP) are insufficient to protect the local endpoints. By leveraging DNS Rebinding, external web origins can communicate directly with the local server to execute administrative functions.

Root Cause Analysis

The root cause of this vulnerability lies in a critical combination of insecure defaults: binding to a predictable hardcoded port, missing API-level authentication, and an absence of HTTP Host header validation.

Serena configures its local Flask application to bind to port 24282, which is hardcoded as hexadecimal value 0x5EDA within the configuration file constants.py. Because the endpoint is predictable, attackers can construct cross-origin web requests targeting this exact port without requiring prior network reconnaissance. Crucially, the endpoints do not validate the HTTP Host header of incoming requests.

In a DNS Rebinding attack, an attacker-controlled external domain has its DNS Time-To-Live (TTL) set to a low value. The victim's browser loads a malicious page from this domain, caches the initial resolution, and then re-queries the domain after the TTL expires. The attacker's DNS server then resolves the domain to 127.0.0.1. The browser, treating this as the same origin, issues asynchronous POST requests to the local Serena service. Because the application processes requests containing arbitrary Host headers, the browser's Same-Origin Policy is bypassed, allowing state manipulation on the local application.

Code-Level Analysis

The vulnerability exists because Serena did not check the routing details of the request headers before processing endpoints. In versions prior to v1.5.2, any HTTP request hitting the dashboard was authorized automatically.

The remediation, committed in hash 016ccbe1c095a3eed7967737ac1d4df2754f5d96 inside src/serena/dashboard.py, introduces a pre-request filtering mechanism using Flask's before_request hook:

# Verify host and port on each request to prevent DNS-rebinding-based attacks
@self._app.before_request
def check_host() -> None:
    allowed = {f"127.0.0.1:{port}", f"localhost:{port}"}
    if request.host not in allowed:
        abort(403)

This filter asserts that the request.host attribute strictly matches either 127.0.0.1 or localhost bound to the active port. If an external browser script makes a request using a rebound domain name, the Host header (e.g., rebound.attacker.com:24282) will fail this set-membership validation, and the application will abort the request with an HTTP 403 Forbidden status.

Exploitation & Execution Flow

To successfully exploit the vulnerability, the attacker must host a DNS rebinding service and convince a developer running Serena to visit a malicious website.

The malicious script issues an asynchronous POST request to /api/memory containing payload data targeting Serena's persistent memory. Once the persistent memory store is poisoned, Serena's autonomous agent reads the modified instruction list during its next iteration loop. The agent, attempting to fulfill the injected task, invokes its integrated execute_shell_command module. This tool utilizes Python's subprocess engine with shell=True, executing the raw string payload and resulting in full remote code execution.

Impact & Security Consequences

An exploitation of CVE-2026-49471 leads to complete compromise of the developer's workstation. Because the shell commands run with the context of the user running Serena, the attacker gains access to SSH keys, local source code repositories, application credentials, and cloud service configuration files.

The CVSS v3.1 score is evaluated at 8.3 (High). The score reflects high impacts on confidentiality, integrity, and availability, combined with a Scope change (S:C) since execution escapes the browser sandbox to influence the underlying operating system. The rating is limited only by the high complexity of configuring the DNS rebinding infrastructure and the requirement for user interaction.

As development environments are highly valued targets for supply-chain pivot attacks, compromising an active developer's machine using this method provides a potential gateway to enterprise build pipelines and internal source control platforms.

Remediation and Residual Risk

The standard remediation is upgrading the Serena tool suite to version v1.5.2 or later, which enforces Host header validation on the web server routing engine.

Despite the implemented fix, minor security considerations remain. The validation set does not explicitly account for IPv6 loopback bindings (e.g., [::1]:{port}). In environment configurations where Serena binds to dual-stack interfaces, variations in browser routing might still expose endpoints if loopback resolving exhibits non-standard behavior.

Furthermore, because the local API still lacks CSRF tokens or authentication secrets, any Cross-Site Scripting (XSS) vulnerability found in another application running on localhost (such as a local development server on port 3000) could still be leveraged to perform requests to Serena, as those requests would carry a valid localhost:24282 Host header.

Official Patches

oraiosFix commit implementing Host header validation
oraiosGitHub Security Advisory GHSA-37h2-6p4f-mp3q

Fix Analysis (1)

Technical Appendix

CVSS Score
8.3/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Probability
0.24%
Top 85% most exploited

Affected Systems

Serena Model Context Protocol (MCP) Toolkit

Affected Versions Detail

Product
Affected Versions
Fixed Version
serena
oraios
< 1.5.2v1.5.2
AttributeDetail
CWE IDCWE-306 / CWE-352
Attack VectorNetwork (with User Interaction)
CVSS v3.1 Score8.3 (High)
EPSS Score0.00237 (Percentile: 14.61%)
Exploit StatusProof of Concept (PoC) available
ImpactUnauthenticated Remote Code Execution (RCE)
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1189Drive-by Compromise
Initial Access
CWE-306
Missing Authentication for Critical Function

The product does not perform any authentication for a functionality that requires a security defense or identity check.

Vulnerability Timeline

Security patch committed to the Serena repository
2026-05-26
GitHub Security Advisory GHSA-37h2-6p4f-mp3q published
2026-07-07
CVE-2026-49471 published by CVE.org and NVD
2026-07-07

References & Sources

  • [1]GitHub Security Advisory GHSA-37h2-6p4f-mp3q
  • [2]Official Security Fix Commit
  • [3]Serena v1.5.2 Release Tag
  • [4]NVD Vulnerability Record
  • [5]CVE.org CVE-2026-49471 Record

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•CVE-2026-53634
4.3

CVE-2026-53634: Missing Authorization in Code16 Sharp Quick Creation Command Controller

Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.

Alon Barad
Alon Barad
3 views•5 min read
•about 2 hours ago•GHSA-MXWC-WH95-PW4G
5.3

GHSA-MXWC-WH95-PW4G: Denial of Service via Uncontrolled Recursion in Trapster DNS Parser

The trapster honeypot package is vulnerable to a remote denial of service (DoS) vulnerability due to uncontrolled recursion during the parsing of malformed DNS compression pointers in the decode_labels function.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 3 hours ago•GHSA-Q95X-7G78-RCCV
6.3

GHSA-Q95X-7G78-RCCV: Safe Rust Memory Corruption via Use-After-Free in oneringbuf Crate

A critical Use-After-Free (UAF) memory corruption vulnerability exists in the oneringbuf Rust crate prior to version 0.8.0. The vulnerability allows safe Rust code to instantiate and clone reference wrappers that point to heap-allocated ring buffers. Dropping one wrapper prematurely reclaims the backing memory, leading to dangling pointer references and subsequent Use-After-Free or Double Free states.

Amit Schendel
Amit Schendel
4 views•7 min read
•about 16 hours ago•CVE-2026-53359
8.8

CVE-2026-53359: Use-After-Free in Linux Kernel KVM Shadow MMU (Januscape)

Januscape (CVE-2026-53359) is a critical Use-After-Free vulnerability in the x86 Shadow MMU component of the Linux Kernel's KVM subsystem. A logic error in shadow page tracking permits unauthorized page reuse without validating architectural execution roles, leading to dangling pointers in reverse mapping (rmap) tracking entries during guest memory teardown.

Amit Schendel
Amit Schendel
71 views•5 min read
•about 16 hours ago•CVE-2026-48282
10.0

CVE-2026-48282: Unauthenticated Path Traversal and Arbitrary File Write in Adobe ColdFusion Remote Development Services

CVE-2026-48282 is a critical unauthenticated path traversal and arbitrary file write vulnerability in the Remote Development Services (RDS) component of Adobe ColdFusion. The vulnerability allows a remote, unauthenticated attacker to bypass directory boundaries and write arbitrary files, including CFML-based web shells, onto the host server. This flaw is actively exploited in the wild and enables full unauthenticated remote code execution under the privileges of the ColdFusion service account.

Alon Barad
Alon Barad
26 views•6 min read
•about 21 hours ago•GHSA-GQ4G-FPC9-VJFQ
2.3

GHSA-gq4g-fpc9-vjfq: Username Enumeration via Predictable Decoy Credentials in web-auth/webauthn-lib

An information disclosure vulnerability exists in the web-auth/webauthn-lib PHP library when using the default SimpleFakeCredentialGenerator without a configured secret. This allows unauthenticated remote attackers to determine if a username exists on the target application.

Alon Barad
Alon Barad
8 views•5 min read