CVE-2026-5029

CVE-2026-5029 is a high-severity vulnerability with a CVSS 4.0 base score of 8.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-306.

Key facts

Description

A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088. An unauthenticated remote attacker can invoke the run-code MCP tool to supply arbitrary source code and execute it via child_process.exec() using the specified language interpreter. This allows execution of arbitrary code with the privileges of the user running the server. This vulnerability has not been fixed and might affect the project in all versions.

Frequently asked questions

What is CVE-2026-5029?
A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088. An unauthenticated remote attacker can invoke the run-code MCP tool to supply arbitrary source code and execute it via child_process.exec() using the specified language interpreter. This allows execution of arbitrary code with the privileges of the user running the server. This vulnerability has not been fixed and might affect the project in all versions.
How severe is CVE-2026-5029?
CVE-2026-5029 has a CVSS 4.0 base score of 8.7, rated high severity.
Is CVE-2026-5029 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (21st percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-5029?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2026-5029 have an EU (EUVD) identifier?
Yes. CVE-2026-5029 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-29437.
When was CVE-2026-5029 published?
CVE-2026-5029 was published on 2026-05-12 and last updated on 2026-06-17.

References

Other CWE-306 (Missing Authentication for Critical Function) vulnerabilities

Browse all CWE-306 (Missing Authentication for Critical Function) vulnerabilities →