{"uuid": "74bcc4ea-9215-4358-99a1-e557f120ba3a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-49471", "type": "seen", "source": "https://gist.github.com/alon710/faf458b17f73f7d92e775ebdde2a6b10", "content": "# CVE-2026-49471: CVE-2026-49471: Unauthenticated Remote Code Execution in Serena MCP Toolkit via DNS Rebinding and Memory Poisoning\n\n&gt; **CVSS Score:** 8.3\n&gt; **Published:** 2026-07-08\n&gt; **Full Report:** https://cvereports.com/reports/CVE-2026-49471\n\n## Summary\nCVE-2026-49471 is a high-severity security vulnerability in Serena, an AI-assisted coding Model Context Protocol (MCP) toolkit. In versions prior to v1.5.2, Serena's built-in web dashboard exposes an unauthenticated Flask API on a predictable port. Lacking host validation and CSRF protections, this endpoint is vulnerable to DNS Rebinding. An attacker can lure a user to a malicious webpage, bypass the Same-Origin Policy (SOP), rewrite the AI agent's persistent memory, and execute arbitrary commands on the host operating system via the autonomous agent's shell execution engine.\n\n## TL;DR\nSerena's unauthenticated Flask API on local port 24282 is vulnerable to DNS Rebinding. Remote attackers can leverage malicious web pages to bypass the browser Same-Origin Policy, poison the AI agent's memory, and trigger arbitrary command execution on the developer's workstation.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-306 / CWE-352\n- **Attack Vector**: Network (with User Interaction)\n- **CVSS v3.1 Score**: 8.3 (High)\n- **EPSS Score**: 0.00237 (Percentile: 14.61%)\n- **Exploit Status**: Proof of Concept (PoC) available\n- **Impact**: Unauthenticated Remote Code Execution (RCE)\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Serena Model Context Protocol (MCP) Toolkit\n- **serena**: &lt; 1.5.2 (Fixed in: `v1.5.2`)\n\n## Mitigation\n\n- Upgrade Serena to version 1.5.2 or newer to enable Host header validation.\n- Ensure Serena is bound exclusively to the loopback interface (127.0.0.1) and never to 0.0.0.0.\n- Incorporate local network controls or local firewalls to block unauthorized internal cross-port requests.\n- Employ browser extensions or DNS configurations that block DNS resolution of public domains to loopback addresses.\n\n**Remediation Steps:**\n1. Identify the installed version of Serena by checking the active environment package manifest.\n2. Execute the package manager update command: pip install --upgrade serena (or the equivalent repository command for your environment).\n3. Restart any running instances of the Serena agent to reload the patched dashboard module.\n4. Verify the patch by running: curl -H 'Host: attacker.local' http://127.0.0.1:24282/ and checking for a 403 Forbidden response status.\n\n## References\n\n- [GitHub Security Advisory GHSA-37h2-6p4f-mp3q](https://github.com/oraios/serena/security/advisories/GHSA-37h2-6p4f-mp3q)\n- [Official Security Fix Commit](https://github.com/oraios/serena/commit/016ccbe1c095a3eed7967737ac1d4df2754f5d96)\n- [Serena v1.5.2 Release Tag](https://github.com/oraios/serena/releases/tag/v1.5.2)\n- [NVD Vulnerability Record](https://nvd.nist.gov/vuln/detail/CVE-2026-49471)\n- [CVE.org CVE-2026-49471 Record](https://www.cve.org/CVERecord?id=CVE-2026-49471)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-49471) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-08T21:42:03.840370Z"}