{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@penpot/mcp--2.15.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@penpot/mcp (\u003c 2.15.0)"],"_cs_severities":["high"],"_cs_tags":["remote-code-execution","unauthenticated-access"],"_cs_type":"advisory","_cs_vendors":["Penpot"],"content_html":"\u003cp\u003eThe Penpot MCP (Meta Communication Protocol) module contains a vulnerability in its \u003ccode\u003eReplServer\u003c/code\u003e component. This server, designed for interactive code execution, inadvertently binds to all network interfaces (0.0.0.0) on port 4403 and exposes an \u003ccode\u003e/execute\u003c/code\u003e endpoint without any form of authentication. This means that any system on the network can send a POST request to this endpoint with a JSON payload containing JavaScript code, which will then be executed on the Penpot MCP server. The vulnerability was reported after a similar issue was identified in \u003ccode\u003ePenpotMcpServer.ts\u003c/code\u003e and partially addressed. However, \u003ccode\u003eReplServer.ts\u003c/code\u003e was overlooked during the fix. The issue exists in versions prior to 2.15.0.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a Penpot MCP server running with the vulnerable \u003ccode\u003eReplServer\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eThe attacker determines the server\u0026rsquo;s IP address and confirms the \u003ccode\u003e/execute\u003c/code\u003e endpoint is accessible on port 4403.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a POST request to \u003ccode\u003ehttp://\u0026lt;target-ip\u0026gt;:4403/execute\u003c/code\u003e with a JSON payload.\u003c/li\u003e\n\u003cli\u003eThe JSON payload contains a \u0026ldquo;code\u0026rdquo; field with malicious JavaScript code to be executed on the server.\u003c/li\u003e\n\u003cli\u003eThe server receives the POST request and executes the JavaScript code via \u003ccode\u003ePluginBridge.executePluginTask()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe executed code performs malicious actions, such as reading sensitive files (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e), executing system commands (e.g., \u003ccode\u003eid\u003c/code\u003e), or dumping environment variables.\u003c/li\u003e\n\u003cli\u003eThe server sends a JSON response back to the attacker with the results of the code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the exposed information or continues to execute commands to compromise the system further.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an unauthenticated attacker to execute arbitrary code on the machine running the MCP module. This can lead to sensitive information disclosure, such as reading files containing credentials and API keys, as well as executing system commands with the privileges of the Penpot MCP server process. Although the MCP module isn\u0026rsquo;t part of the default Docker deployment, it may be used by developers and teams for AI-assisted design work. If deployed in shared development environments or CI/CD pipelines, the exposed port is reachable from the network, increasing the risk of compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003e@penpot/mcp\u003c/code\u003e package to version 2.15.0 or later to patch CVE-2026-45805.\u003c/li\u003e\n\u003cli\u003eModify the \u003ccode\u003eReplServer.ts\u003c/code\u003e file to bind to localhost by adding the \u0026rsquo;localhost\u0026rsquo; host parameter to the \u003ccode\u003elisten\u003c/code\u003e call on line 89, as described in the suggested fix.\u003c/li\u003e\n\u003cli\u003eImplement authentication for the \u003ccode\u003e/execute\u003c/code\u003e endpoint to prevent unauthorized access. Consider using a shared secret from an environment variable as a basic authentication mechanism.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Penpot MCP Unauthenticated Code Execution Attempt\u0026rdquo; to detect attempts to exploit this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T20:00:35Z","date_published":"2026-05-19T20:00:35Z","id":"https://feed.craftedsignal.io/briefs/2026-05-penpot-mcp-rce/","summary":"The Penpot MCP module's ReplServer binds to all interfaces and exposes an unauthenticated /execute endpoint, allowing remote attackers to execute arbitrary code by sending a POST request with JavaScript code, leading to potential information disclosure and command execution.","title":"Penpot MCP REPL Server Unauthenticated Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-05-penpot-mcp-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — @Penpot/Mcp (\u003c 2.15.0)","version":"https://jsonfeed.org/version/1.1"}