Skip to content
Threat Feed
high advisory

Serena Agent Unauthenticated RCE via DNS Rebinding (CVE-2026-49471)

An unspecified attacker can achieve remote code execution in Serena agent versions prior to 1.5.2 by leveraging an unauthenticated Flask dashboard, DNS rebinding, and memory poisoning, enabling persistent attacker-controlled command execution.

CVE-2026-49471 details a critical vulnerability in the Serena agent, affecting versions prior to 1.5.2. This vulnerability stems from an unauthenticated Flask web dashboard that is automatically enabled by default on a fixed and predictable TCP port 24282. The dashboard lacks authentication, CSRF protection, and Host header validation, making it susceptible to DNS rebinding attacks. An attacker can trick a victim, running the vulnerable Serena agent, into visiting a malicious webpage. This webpage leverages DNS rebinding to proxy requests to the local Serena dashboard, poisoning its persistent memory store with attacker-controlled content. When the agent subsequently processes this memory, it executes the injected commands via subprocess.Popen with shell=True, leading to full OS-level remote code execution. This allows attackers to achieve persistence, exfiltrate data, access agent logs, and perform denial-of-service.

Attack Chain

  1. An attacker registers a domain (e.g., attacker.com) with a short DNS Time-To-Live (TTL) and hosts a malicious webpage.
  2. A victim, running a vulnerable Serena agent (version < 1.5.2) with the default web_dashboard: true setting, visits the attacker-controlled webpage.
  3. The attacker's webpage immediately rebinds its DNS resolution from the attacker's server to 127.0.0.1 after the initial page load.
  4. Malicious JavaScript on the webpage sends a POST request to attacker.com:24282/save_memory, which the victim's browser now resolves to the local Serena agent's dashboard due to the DNS rebinding.
  5. Serena's unauthenticated Flask dashboard on TCP 24282 accepts the /save_memory request, writing attacker-controlled content (e.g., an execute_shell_command) to the agent's persistent memory store.
  6. In a subsequent agent session or when processing new tasks, the Serena agent reads the poisoned memory from disk.
  7. The Serena agent then attempts to execute the attacker-controlled command using subprocess.Popen(command, shell=True), where shell=True enables direct shell command execution.
  8. This results in full OS-level remote code execution on the victim's machine, allowing the attacker to exfiltrate data, maintain persistence, or further compromise the system.

Impact

CVE-2026-49471 poses a severe risk to any user operating the Serena agent with its default configuration. Successful exploitation allows an attacker, without any credentials or prior access, to gain OS-level remote code execution on the victim's system. Beyond RCE, attackers can inject persistent prompt-injection payloads into the agent's memory, read sensitive agent activity logs (including conversation history and project details), overwrite the Serena configuration file, and trigger a denial-of-service by shutting down the agent. While no specific victim counts are provided, all users of affected Serena agent versions are at risk if targeted by a malicious webpage.

Recommendation

  • Patch CVE-2026-49471 by upgrading Serena agent to version 1.5.2 or later immediately.
  • Deploy the Sigma rule provided in this brief to detect suspicious process execution originating from the Serena agent.
  • Enable Sysmon process-creation logging (Event ID 1) on endpoints running the Serena agent to activate detection of suspicious shell activity.
  • Block known attacker infrastructure such as attacker.com at the DNS resolver or web proxy to prevent initial access via DNS rebinding and potential C2 communication.
  • Review Serena agent configuration and consider disabling web_dashboard: true if its functionality is not explicitly required in your environment.

Detection coverage 1

CVE-2026-49471 Serena Agent RCE - Suspicious Shell Process Creation

high

Detects Serena agent (Python process) spawning suspicious shell processes (cmd.exe, powershell.exe) with potentially malicious command lines, indicative of CVE-2026-49471 exploitation.

sigma tactics: execution techniques: T1059.001, T1059.003, T1202 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →

Indicators of compromise

1

domain

TypeValue
domainattacker.com