CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-37h2-6p4f-mp3q: Serena: Unauthenticated Flask dashboard on fixed port enables DNS rebinding → memory poisoning → RCE

highCVSS 8.3CVE-2026-49471
Summary Serena's built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port (TCP 24282, hardcoded as 0x5EDA in constants.py). The server has no authentication, no CSRF protection, and no Host header validation. A DNS rebinding attack allows a malicious webpage to reach this API from any browser and write arbitrary content to the agent's persistent memory store — which the agent reads and acts on autonomously. Combined with execute_shell_command (enabled by default in all contexts via shell=True), this creates a full remote code execution chain requiring only that the victim visit a malicious webpage while Serena is running. Details Root cause 1 — Unauthenticated dashboard (src/serena/dashboard.py) The Flask server starts automatically (web_dashboard: true by default) on a fixed, predictable port with no auth middleware: src/serena/constants.py DASHBOARD_API_BASE_PORT = 0x5EDA # = 24282, always the same src/serena/dashboard.py — no auth, no CSRF, no Host header validation on any route @self._app.route("/save_memory", methods=["POST"]) def save_memory(): request_data = request.get_json() self._save_memory(...) # writes to disk, no credentials checked @self._app.route("/shutdown", methods=["PUT"]) def shutdown(): self._agent.shutdown() # kills the agent, no credentials checked Flask does not validate the Host header by default (no SERVER_NAME set), which is the prerequisite for DNS rebinding. **Root cause 2 — execute_shell_command uses shell=True (src/serena/util/shell.py) subprocess.Popen( command, # attacker-controlled string from injected memory shell=True, # enables shell metacharacter injection ... ) This tool is enabled in every default context YAML: ide.yml, vscode.yml, claude-code.yml, copilot-cli.yml, codex.yml, jb-ai-assistant.yml, junie.yml, antigravity.yml. PoC Step 1 — Verify missing auth (no DNS rebinding needed):** Start Serena normally — dashboard auto-starts on port 24282 curl http://127.0.0.1:24282/heartbea

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high — CVSS 8.3
Published
2026-07-08
Last updated
2026-07-08
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-37h2-6p4f-mp3q

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-49471coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

More from GitHub Security Advisories