CVE-2026-49471
Summary
Serena's built-in web dashboard exposes an unauthenticated Flask API on a fixed, predictable port (TCP 24282, hardcoded as 0x5EDA in constants.py). The server has no authentication, no CSRF protection, and no Host header validation. A DNS rebinding attack allows a malicious webpage to reach this API from any browser and write arbitrary content to the agent's persistent memory store — which the agent reads and acts on autonomously. Combined with execute_shell_command (enabled by default in all contexts via shell=True), this creates a full remote code execution chain requiring only that the victim visit a malicious webpage while Serena is running.
Details
Root cause 1 — Unauthenticated dashboard (src/serena/dashboard.py)
The Flask server starts automatically (web_dashboard: true by default) on a fixed, predictable port with no auth middleware:
src/serena/constants.py
DASHBOARD_API_BASE_PORT = 0x5EDA # = 24282, always the same
src/serena/dashboard.py — no auth, no CSRF, no Host header validation on any route
@self._app.route("/save_memory", methods=["POST"])
def save_memory():
request_data = request.get_json()
self._save_memory(...) # writes to disk, no credentials checked
@self._app.route("/shutdown", methods=["PUT"])
def shutdown():
self._agent.shutdown() # kills the agent, no credentials checked
Flask does not validate the Host header by default (no SERVER_NAME set), which is the prerequisite for DNS rebinding.
**Root cause 2 — execute_shell_command uses shell=True (src/serena/util/shell.py)
subprocess.Popen(
command, # attacker-controlled string from injected memory
shell=True, # enables shell metacharacter injection
...
)
This tool is enabled in every default context YAML: ide.yml, vscode.yml, claude-code.yml, copilot-cli.yml, codex.yml, jb-ai-assistant.yml, junie.yml, antigravity.yml.
PoC
Step 1 — Verify missing auth (no DNS rebinding needed):**
Start Serena normally — dashboard auto-starts on port 24282
curl http://127.0.0.1:24282/heartbea
⚡ Watch CVE-2026-49471
Get an email if CVE-2026-49471 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.24% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 15% of all EPSS-scored CVEs.
Advisory coverage (2)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-49471)