Skip to main content

blender-mcp CVE-2026-10688

| EUVDEUVD-2026-34048 LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-06-02 cna@vuldb.com GHSA-fx9q-x9g5-jgg6
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 02, 2026 - 23:32 vuln.today

DescriptionCVE.org

A vulnerability was determined in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. The impacted element is the function execute_blender_code of the file /src/blender_mcp/server.py. This manipulation of the argument code causes code injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Code injection in ahujasid/blender-mcp's execute_blender_code function allows low-privileged remote attackers with passive user interaction to inject and execute arbitrary code through the unsanitized code argument passed to the MCP server endpoint in /src/blender_mcp/server.py. All commits up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b are affected, with no maintainer response to the disclosed GitHub issue #201. A public exploit exists (E:P in CVSS vector; independently confirmed by description), though no public exploit identified at time of analysis for active KEV-tracked campaigns - exploitation remains opportunistic rather than confirmed widespread.

Technical ContextAI

blender-mcp is a Model Context Protocol (MCP) server that exposes Blender's Python scripting environment to AI model clients, enabling programmatic 3D scene manipulation. The vulnerable function execute_blender_code in /src/blender_mcp/server.py accepts a code argument and passes it to Blender's Python evaluator without adequate input neutralization, a textbook CWE-74 (Injection) flaw. Because MCP servers communicate over a network transport, the attack vector is classified as Network (AV:N) in the CVSS 4.0 vector. The direct handoff of user-supplied code to a scripting interpreter - without sanitization, sandboxing, or allowlisting - is the root cause. The rolling release model means no versioned CPE string can be pinned beyond the specific commit hash 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. No CPE entry is available in the provided data.

RemediationAI

No vendor-released patch identified at time of analysis - the project maintainer was notified via GitHub issue #201 but has not responded, and no remediation commit is referenced in the available data. Organizations using blender-mcp should monitor https://github.com/ahujasid/blender-mcp/ for commits that add input validation or sandboxing to the execute_blender_code function. As an immediate compensating control, restrict network access to the MCP server port using firewall rules or binding the listener to localhost only (127.0.0.1), which eliminates the AV:N attack surface entirely at the cost of blocking legitimate remote MCP client connections. If arbitrary Blender code execution via the MCP interface is not required for your workflow, disable or remove the execute_blender_code endpoint entirely - this eliminates the vulnerable surface but removes programmatic Blender scripting capability. Additionally, limit which user accounts or processes can authenticate to the MCP server to reduce the PR:L exposure surface. Do not expose the blender-mcp server to untrusted networks or multi-tenant environments until a maintainer-confirmed fix is available.

Share

CVE-2026-10688 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy