PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE
- Severity:
- High
Description
The MCP module’s ReplServer binds to all interfaces (0.0.0.0:4403) and exposes a /execute endpoint that runs arbitrary code with zero authentication. Anyone on the network can POST JavaScript and it runs on the server. The main PenpotMcpServer was partially fixed for a similar binding issue (#8683), but ReplServer.ts was missed.
Recommendation
Update the @penpot/mcp package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.15.0
- Patched version(s): 2.15.0
References
Related Issues
- Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls - CVE-2026-42856
- Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths - CVE-2026-39320
- Parse Server's Session Update endpoint allows overwriting server-generated session fields - CVE-2026-33527
- Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching - CVE-2026-46341
You might also like:
- Tags:
- npm
- @penpot/mcp
Anything's wrong? Let us know Last updated on May 19, 2026