ByteOS Network

CVE Vulnerability Details :

CVE-2026-5029

PUBLISHED

More Info Official Page

Assigner-CERT-PL

Assigner Org ID-4bb8329e-dd38-46c1-aafb-9bf32bcb93c6

Published At-12 May, 2026 | 09:01

Updated At-12 May, 2026 | 09:01

▼CVE Numbering Authority (CNA)

RCE in Code Runner MCP Server

A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088. An unauthenticated remote attacker can invoke the run-code MCP tool to supply arbitrary source code and execute it via child_process.exec() using the specified language interpreter. This allows execution of arbitrary code with the privileges of the user running the server. This vulnerability has not been fixed and might affect the project in all versions.

Affected Products

Vendor

Code Runner MCP Server

Product

Code Runner MCP Server

Collection URL

https://github.com

Package Name

mcp-server-code-runner

Repo

https://github.com/formulahendry/mcp-server-code-runner

Default Status

affected

Versions

Affected

From 0 through * (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-306	CWE-306 Missing Authentication for Critical Function

Type: CWE

CWE ID: CWE-306

Description: CWE-306 Missing Authentication for Critical Function

Metrics

Version	Base score	Base severity	Vector
4.0	8.7	HIGH	CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Version: 4.0

Base score: 8.7

Base severity: HIGH

Vector:

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Credits

finder

Eryk Winiarz

References

Hyperlink	Resource
https://cert.pl/en/posts/2026/05/CVE-2026-5029	third-party-advisory

Hyperlink: https://cert.pl/en/posts/2026/05/CVE-2026-5029

Resource:

third-party-advisory

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References