CVE-2026-49471
Received Received - Intake

Remote Code Execution in Serena MCP Toolkit

Vulnerability report for CVE-2026-49471, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: GitHub, Inc.

Description

Serena is a powerful MCP toolkit for coding that provides semantic retrieval and editing capabilities. Prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port, with no authentication, no CSRF protection, and no Host header validation. A DNS rebinding attack allows a malicious webpage to reach this API from any browser and write arbitrary content to the agent's persistent memory store, which the agent reads and acts on autonomously. Combined with execute_shell_command using shell=True, this creates a remote code execution chain requiring only that the victim visit a malicious webpage while Serena is running. This issue is fixed in version v1.5.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
serena serena to 1.5.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in Serena, a toolkit for coding, where its built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port without authentication, CSRF protection, or Host header validation.

This allows a DNS rebinding attack, where a malicious webpage can access the API from any browser and write arbitrary content to the agent's persistent memory store.

Because the agent reads and acts on this stored content autonomously, and combined with the execute_shell_command function using shell=True, this creates a remote code execution chain that only requires the victim to visit a malicious webpage while Serena is running.

This vulnerability was fixed in Serena version v1.5.2.

Impact Analysis

This vulnerability can lead to remote code execution on the affected system, allowing an attacker to run arbitrary commands with the privileges of the Serena agent.

An attacker only needs the victim to visit a malicious webpage to exploit this, potentially leading to full system compromise, data theft, or disruption of services.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Serena to version v1.5.2 or later, where the issue is fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49471. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart