CVE-2026-49471: Unauthenticated Remote Code Execution in Serena MCP Toolkit via DNS Rebinding and Memory Poisoning
Vulnerability ID: CVE-2026-49471
CVSS Score: 8.3
Published: 2026-07-08
CVE-2026-49471 is a high-severity security vulnerability in Serena, an AI-assisted coding Model Context Protocol (MCP) toolkit. In versions prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a predictable port. Lacking host validation and CSRF protections, this endpoint is vulnerable to DNS Rebinding. An attacker can lure a user to a malicious webpage, bypass the Same-Origin Policy (SOP), rewrite the AI agent's persistent memory, and execute arbitrary commands on the host operating system via the autonomous agent's shell execution engine.
TL;DR
Serena's unauthenticated Flask API on local port 24282 is vulnerable to DNS Rebinding. Remote attackers can leverage malicious web pages to bypass the browser Same-Origin Policy, poison the AI agent's memory, and trigger arbitrary command execution on the developer's workstation.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-306 / CWE-352
- Attack Vector: Network (with User Interaction)
- CVSS v3.1 Score: 8.3 (High)
- EPSS Score: 0.00237 (Percentile: 14.61%)
- Exploit Status: Proof of Concept (PoC) available
- Impact: Unauthenticated Remote Code Execution (RCE)
- KEV Status: Not Listed
Affected Systems
- Serena Model Context Protocol (MCP) Toolkit
-
serena: < 1.5.2 (Fixed in:
v1.5.2)
Code Analysis
Commit: 016ccbe
Verify host and port on each request to prevent DNS-rebinding-based attacks
@@ -776,7 +776,15 @@ def run(self, host: str, port: int) -> int:
cli.show_server_banner = lambda *args, **kwargs: None
+ # Verify host and port on each request to prevent DNS-rebinding-based attacks
+ @self._app.before_request
+ def check_host() -> None:
+ allowed = {f"127.0.0.1:{port}", f"localhost:{port}"}
+ if request.host not in allowed:
+ abort(403)
+
self._app.run(host=host, port=port, debug=False, use_reloader=False, threaded=True)
+
Mitigation Strategies
- Upgrade Serena to version 1.5.2 or newer to enable Host header validation.
- Ensure Serena is bound exclusively to the loopback interface (127.0.0.1) and never to 0.0.0.0.
- Incorporate local network controls or local firewalls to block unauthorized internal cross-port requests.
- Employ browser extensions or DNS configurations that block DNS resolution of public domains to loopback addresses.
Remediation Steps:
- Identify the installed version of Serena by checking the active environment package manifest.
- Execute the package manager update command: pip install --upgrade serena (or the equivalent repository command for your environment).
- Restart any running instances of the Serena agent to reload the patched dashboard module.
- Verify the patch by running: curl -H 'Host: attacker.local' http://127.0.0.1:24282/ and checking for a 403 Forbidden response status.
References
- GitHub Security Advisory GHSA-37h2-6p4f-mp3q
- Official Security Fix Commit
- Serena v1.5.2 Release Tag
- NVD Vulnerability Record
- CVE.org CVE-2026-49471 Record
Read the full report for CVE-2026-49471 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)