CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49471

highCVSS 8.3covered by 2 sourcesfirst seen 2026-07-07
Summary Serena's built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port (TCP 24282, hardcoded as 0x5EDA in constants.py). The server has no authentication, no CSRF protection, and no Host header validation. A DNS rebinding attack allows a malicious webpage to reach this API from any browser and write arbitrary content to the agent's persistent memory store — which the agent reads and acts on autonomously. Combined with execute_shell_command (enabled by default in all contexts via shell=True), this creates a full remote code execution chain requiring only that the victim visit a malicious webpage while Serena is running. Details Root cause 1 — Unauthenticated dashboard (src/serena/dashboard.py) The Flask server starts automatically (web_dashboard: true by default) on a fixed, predictable port with no auth middleware: src/serena/constants.py DASHBOARD_API_BASE_PORT = 0x5EDA # = 24282, always the same src/serena/dashboard.py — no auth, no CSRF, no Host header validation on any route @self._app.route("/save_memory", methods=["POST"]) def save_memory(): request_data = request.get_json() self._save_memory(...) # writes to disk, no credentials checked @self._app.route("/shutdown", methods=["PUT"]) def shutdown(): self._agent.shutdown() # kills the agent, no credentials checked Flask does not validate the Host header by default (no SERVER_NAME set), which is the prerequisite for DNS rebinding. **Root cause 2 — execute_shell_command uses shell=True (src/serena/util/shell.py) subprocess.Popen( command, # attacker-controlled string from injected memory shell=True, # enables shell metacharacter injection ... ) This tool is enabled in every default context YAML: ide.yml, vscode.yml, claude-code.yml, copilot-cli.yml, codex.yml, jb-ai-assistant.yml, junie.yml, antigravity.yml. PoC Step 1 — Verify missing auth (no DNS rebinding needed):** Start Serena normally — dashboard auto-starts on port 24282 curl http://127.0.0.1:24282/heartbea

⚡ Watch CVE-2026-49471

Get an email if CVE-2026-49471 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-49471

CVE.org record

Embed the live status

CVE-2026-49471 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49471 status](https://www.csirts.com/badge/CVE-2026-49471)](https://www.csirts.com/cve/CVE-2026-49471)