DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-49471: CVE-2026-49471: Unauthenticated Remote Code Execution in Serena MCP Toolkit via DNS Rebinding and Memory Poisoning

CVE-2026-49471: Unauthenticated Remote Code Execution in Serena MCP Toolkit via DNS Rebinding and Memory Poisoning

Vulnerability ID: CVE-2026-49471
CVSS Score: 8.3
Published: 2026-07-08

CVE-2026-49471 is a high-severity security vulnerability in Serena, an AI-assisted coding Model Context Protocol (MCP) toolkit. In versions prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a predictable port. Lacking host validation and CSRF protections, this endpoint is vulnerable to DNS Rebinding. An attacker can lure a user to a malicious webpage, bypass the Same-Origin Policy (SOP), rewrite the AI agent's persistent memory, and execute arbitrary commands on the host operating system via the autonomous agent's shell execution engine.

TL;DR

Serena's unauthenticated Flask API on local port 24282 is vulnerable to DNS Rebinding. Remote attackers can leverage malicious web pages to bypass the browser Same-Origin Policy, poison the AI agent's memory, and trigger arbitrary command execution on the developer's workstation.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-306 / CWE-352
  • Attack Vector: Network (with User Interaction)
  • CVSS v3.1 Score: 8.3 (High)
  • EPSS Score: 0.00237 (Percentile: 14.61%)
  • Exploit Status: Proof of Concept (PoC) available
  • Impact: Unauthenticated Remote Code Execution (RCE)
  • KEV Status: Not Listed

Affected Systems

  • Serena Model Context Protocol (MCP) Toolkit
  • serena: < 1.5.2 (Fixed in: v1.5.2)

Code Analysis

Commit: 016ccbe

Verify host and port on each request to prevent DNS-rebinding-based attacks

@@ -776,7 +776,15 @@ def run(self, host: str, port: int) -> int:

         cli.show_server_banner = lambda *args, **kwargs: None

+        # Verify host and port on each request to prevent DNS-rebinding-based attacks
+        @self._app.before_request
+        def check_host() -> None:
+            allowed = {f"127.0.0.1:{port}", f"localhost:{port}"}
+            if request.host not in allowed:
+                abort(403)
+
         self._app.run(host=host, port=port, debug=False, use_reloader=False, threaded=True)
+
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade Serena to version 1.5.2 or newer to enable Host header validation.
  • Ensure Serena is bound exclusively to the loopback interface (127.0.0.1) and never to 0.0.0.0.
  • Incorporate local network controls or local firewalls to block unauthorized internal cross-port requests.
  • Employ browser extensions or DNS configurations that block DNS resolution of public domains to loopback addresses.

Remediation Steps:

  1. Identify the installed version of Serena by checking the active environment package manifest.
  2. Execute the package manager update command: pip install --upgrade serena (or the equivalent repository command for your environment).
  3. Restart any running instances of the Serena agent to reload the patched dashboard module.
  4. Verify the patch by running: curl -H 'Host: attacker.local' http://127.0.0.1:24282/ and checking for a 403 Forbidden response status.

References


Read the full report for CVE-2026-49471 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)