CVE-2026-23523 in Dive
Summary
by MITRE • 01/16/2026
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/09/2026
The vulnerability identified as CVE-2026-23523 affects Dive, an open-source MCP Host Desktop Application designed to facilitate integration with function-calling large language models. This application serves as a bridge between users and AI-powered tools, enabling seamless interaction with various language model capabilities. The flaw resides in the application's handling of deeplinks, which are URL schemes that can trigger specific actions within desktop applications. Prior to version 0.13.0, Dive failed to implement adequate user confirmation mechanisms when processing crafted deeplinks that contained malicious MCP server configurations.
The technical implementation of this vulnerability stems from insufficient input validation and user consent mechanisms within the application's deeplink processing pipeline. When a user clicks on a specially crafted deeplink, the application automatically downloads and installs an attacker-controlled MCP server configuration without requiring explicit user approval. This represents a critical failure in the principle of least privilege and user consent, as the application operates under the assumption that all deeplinks are trustworthy. The vulnerability allows an attacker to manipulate the application's configuration files through seemingly legitimate user interactions, effectively bypassing normal security controls. This flaw can be categorized under CWE-347, which addresses improper verification of cryptographic signatures, though in this case the verification failure relates to user consent rather than cryptographic integrity. The attack vector leverages the trust relationship between the user and the application, exploiting the expectation that deeplink interactions should be safe and controlled.
The operational impact of this vulnerability is severe and potentially devastating for users of the affected application. Once an attacker successfully exploits this vulnerability, they gain the ability to execute arbitrary local commands on the victim's machine with the privileges of the user running the application. This creates a significant attack surface that could enable full system compromise, data exfiltration, or lateral movement within a network. The vulnerability is particularly dangerous because it requires no special privileges beyond the ability to convince a user to click on a malicious link, making it an effective phishing vector. The attack chain typically involves an initial compromise through social engineering, followed by the exploitation of the deeplink vulnerability to establish persistent access. This aligns with ATT&CK technique T1193, which covers Spearphishing with a link, and T1059, which covers Command and Scripting Interpreter. The vulnerability can lead to the installation of additional malware, keylogging capabilities, or complete system takeover, depending on the attacker's objectives and the victim's system privileges.
Mitigation strategies for CVE-2026-23523 center around immediate application updates to version 0.13.0 or later, which includes proper user consent mechanisms and enhanced input validation for deeplink processing. Organizations should implement comprehensive user education programs to raise awareness about suspicious links and the risks associated with clicking unknown deeplinks. Network administrators should consider implementing deep packet inspection rules to detect and block known malicious deeplink patterns, while security teams should monitor for potential exploitation attempts through endpoint detection and response systems. Additionally, system administrators should review application permissions and ensure that Dive is running with minimal required privileges to limit potential damage from successful exploitation attempts. The fix implemented in version 0.13.0 addresses the root cause by requiring explicit user confirmation before installing any external MCP server configurations, thereby preventing automatic installation of malicious components. Security teams should also consider implementing application whitelisting policies to restrict which applications can process deeplinks and establish clear protocols for handling suspicious configuration changes. Regular security audits of desktop applications should include review of deeplink handling mechanisms to prevent similar vulnerabilities from being introduced in future versions.