CVE-2026-5029 HIGH

CVE-2026-5029: RCE in Code Runner MCP Server

Vendor Code Runner Mcp Server
Product Code Runner MCP Server
Weakness CWE-306 · Missing auth
Published May 12, 2026
Last update May 12, 2026

CVSS base score

8.7/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088. An unauthenticated remote attacker can invoke the run-code MCP tool to supply arbitrary source code and execute it via child_process.exec() using the specified language interpreter. This allows execution of arbitrary code with the privileges of the user running the server. This vulnerability has not been fixed and might affect the project in all versions.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 12, 2026 Record updated