CVE-2026-45805
Received Received - Intake

Unauthenticated Remote Code Execution in Penpot MCP

Vulnerability report for CVE-2026-45805, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

Penpot is an open-source design tool for design and code collaboration. Prior to 2.15.0, Penpot MCP's mcp/packages/server/src/ReplServer.ts bound the ReplServer to 0.0.0.0:4403 and exposed an unauthenticated /execute endpoint that passed the code field to PluginBridge.executePluginTask(), allowing anyone on the network to execute JavaScript on the server. This issue is fixed in version 2.15.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
penpot penpot 2.15.0
penpot mcp *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-749 The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is in Penpot's MCP module where the ReplServer binds to all network interfaces (0.0.0.0:4403) and exposes an unauthenticated /execute endpoint. Attackers can send POST requests with a code field to execute arbitrary JavaScript on the server without authentication.

Impact Analysis

An attacker could execute arbitrary code on your server, potentially reading files, running system commands, accessing sensitive data like database credentials or API keys, and causing full system compromise. This is especially risky in shared or local development environments.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating GDPR's data protection principles and HIPAA's security requirements for protected health information. Non-compliance risks include legal penalties and reputational damage.

Detection Guidance

Check if Penpot MCP's ReplServer is listening on 0.0.0.0:4403 by running 'netstat -tulnp | grep 4403' or 'ss -tulnp | grep 4403'. If it is, the server is exposed to the network. Test the /execute endpoint by sending a POST request with a code field, e.g., 'curl -X POST http://<target-ip>:4403/execute -H "Content-Type: application/json" -d '{"code":"require("child_process").exec("whoami")"}'.

Verify the server version. If it is below 2.15.0, the system is vulnerable. Check logs for unauthorized /execute requests or unexpected JavaScript execution.

Mitigation Strategies

Upgrade Penpot MCP to version 2.15.0 or later to ensure the ReplServer binds only to localhost. If upgrading is not possible, manually configure the ReplServer to bind to 127.0.0.1 instead of 0.0.0.0.

Restrict network access to the MCP server by using firewalls or network policies to block external connections to port 4403. Disable the MCP module if not required for AI-assisted design work.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45805. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart