CVE-2026-45805 in Penpotinfo

Summary

by MITRE • 07/15/2026

Penpot is an open-source design tool for design and code collaboration. Prior to 2.15.0, Penpot MCP's mcp/packages/server/src/ReplServer.ts bound the ReplServer to 0.0.0.0:4403 and exposed an unauthenticated /execute endpoint that passed the code field to PluginBridge.executePluginTask(), allowing anyone on the network to execute JavaScript on the server. This issue is fixed in version 2.15.0.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability in Penpot prior to version 2.15.0 represents a critical remote code execution flaw that fundamentally undermines the security posture of the application. This issue resides within the MCP component's ReplServer implementation, specifically in the mcp/packages/server/src/ReplServer.ts file where the server binding occurs on all network interfaces through the 0.0.0.0:4403 address configuration. The flaw creates an inherently insecure listening environment that exposes a critical endpoint without any authentication mechanisms, presenting a direct pathway for malicious actors to compromise the underlying system.

The technical implementation of this vulnerability demonstrates poor security design principles where the /execute endpoint accepts arbitrary code execution requests through the code field parameter. This parameter is directly passed to PluginBridge.executePluginTask() function without any input validation or authentication checks, creating a classic command injection vulnerability. The flaw essentially allows any network-accessible entity to submit JavaScript code that gets executed within the server context with the privileges of the running application, potentially enabling full system compromise.

From an operational perspective, this vulnerability represents a severe risk to organizations using Penpot, as it provides attackers with immediate remote code execution capabilities without requiring any authentication credentials. The exposed port 4403 on all interfaces means that any attacker who can reach the network segment where Penpot is running can exploit this flaw. This creates an attack surface that extends beyond the typical perimeter defenses, as the vulnerability exists at the application layer and does not require exploitation of network-level vulnerabilities to gain access.

The security implications extend beyond simple code execution to encompass complete system compromise, data exfiltration, and potential lateral movement within the network. An attacker could leverage this vulnerability to establish persistent backdoors, escalate privileges, or use the compromised server as a pivot point for attacking other systems. This aligns with ATT&CK technique T1059.007 for command and scripting interpreter JavaScript, and the vulnerability itself maps to CWE-78 and CWE-284 which cover improper privilege management and insecure direct object references respectively.

Organizations should immediately implement mitigation strategies including network segmentation to restrict access to port 4403, deploying firewalls or access control lists to limit exposure, and applying the patched version 2.15.0 that addresses this vulnerability through proper authentication mechanisms and restricted network binding. The fix likely involves binding the ReplServer to localhost only, implementing proper authentication checks for the /execute endpoint, and ensuring all input parameters undergo rigorous validation before processing. This remediation approach aligns with security best practices and helps prevent similar vulnerabilities in future implementations by enforcing principle of least privilege and secure coding standards.

Responsible

GitHub M

Reservation

05/13/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!