CVE-2026-30352
Remote Code Execution in leonvanzyl autocoder /devserver/start Endpoint
Publication date: 2026-04-27
Last updated on: 2026-04-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| leonvanzyl | autocoder | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this remote code execution vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-30352 is a remote code execution (RCE) vulnerability in the leonvanzyl Autocoder project, specifically in commit 79d02a. It affects the `/devserver/start` endpoint and the `/api/projects/{project}/devserver/config` PATCH endpoint.
An attacker with network access to the devserver API can exploit this vulnerability by providing a specially crafted `command` parameter. This allows the attacker to start a development server with an attacker-controlled command or persist a malicious custom command, resulting in arbitrary operating system command execution on the server.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary code on the affected server remotely without any privileges or user interaction.
- Complete compromise of the server hosting the Autocoder devserver.
- Potential unauthorized access to sensitive data or systems connected to the server.
- Disruption of services due to malicious commands executed by the attacker.
- Possibility of persistent backdoors or malware installation on the server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and testing the /devserver/start and /api/projects/{project}/devserver/config PATCH endpoints for unexpected or crafted command parameters that could lead to arbitrary code execution.
One way to detect exploitation attempts is to send controlled requests to these endpoints with benign command parameters and observe the server's response or behavior.
Network detection can include monitoring for unusual HTTP requests targeting the /devserver/start endpoint with suspicious command parameters.
Example commands to test or detect the vulnerability might include using curl to send crafted requests:
- curl -X POST http://<target>/devserver/start -d 'command=whoami'
- curl -X PATCH http://<target>/api/projects/<project>/devserver/config -H 'Content-Type: application/json' -d '{"command":"whoami"}'
If the server executes the command and returns output, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the vulnerable endpoints to trusted users only, such as by implementing firewall rules or network segmentation.
Disabling or restricting the /devserver/start and /api/projects/{project}/devserver/config PATCH endpoints if they are not required can reduce exposure.
Applying any available patches or updates from the leonvanzyl Autocoder project that address this vulnerability is critical.
Monitoring logs for suspicious activity targeting these endpoints can help detect exploitation attempts early.