PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE
- Severity:
- High
Description
The MCP module’s ReplServer binds to all interfaces (0.0.0.0:4403) and exposes a /execute endpoint that runs arbitrary code with zero authentication. Anyone on the network can POST JavaScript and it runs on the server. The main PenpotMcpServer was partially fixed for a similar binding issue (#8683), but ReplServer.ts was missed.
Recommendation
Update the @penpot/mcp package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.15.0
- Patched version(s): 2.15.0
References
Related Issues
- Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls - CVE-2026-42856
- Parse Server's GraphQL WebSocket endpoint bypasses security middleware - CVE-2026-32594
- Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` - CVE-2026-39381
- parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user - CVE-2026-30229
You might also like:
- Tags:
- npm
- @penpot/mcp
Anything's wrong? Let us know Last updated on May 19, 2026


