| Название | ahujasid blender-mcp Latest remote code execute |
|---|
| Описание | Summary
A code injection vulnerability exists in the blender-mcp . The root cause is the use of Python's exec() function to execute user-controlled input without any sanitization, filtering, or sandboxing. The code parameter provided by the MCP client is passed through the MCP Server (server.py) to the Blender addon (addon.py) via a TCP socket connection and directly executed by exec(). Since exec() runs with full Python capabilities, an attacker can import arbitrary modules (e.g., os, subprocess, socket) and execute arbitrary system commands. Successful exploitation leads to remote code execution under the Blender process's privileges.
The server accepts a code string from the MCP client and forwards it to the Blender addon without any validation. The addon then calls exec(code, {"bpy": bpy}), granting complete access to Python's standard library and the underlying operating system.
Details
The MCP server is for the Blender 3D modeling application, allowing AI assistants to interact with Blender. An MCP Client can be instructed to execute arbitrary Python code, for example via prompt injection when asked to create or modify 3D scenes. Below are the vulnerable code locations and methods for testing this vulnerability using MCP Inspector. Similarly, attackers can achieve this attack through methods such as indirect prompt injection. The following code leads to arbitrary code execution.
Vulnerable code
The vulnerability spans two files — the MCP Server tool definition (source) and the Blender addon handler (sink). The code parameter flows through the entire chain with zero validation. Note: This is the primary instance, but similar unvalidated execution patterns may exist elsewhere in the codebase.
Version: Latest
File: /src/blender_mcp/server.py
@telemetry_tool("execute_blender_code")
@mcp.tool()
def execute_blender_code(ctx: Context, code: str) -> str:
"""
Execute arbitrary Python code in Blender. Make sure to do it step-by-step by breaking it into smaller chunks.
Parameters:
- code: The Python code to execute
"""
try:
# Get the global connection
blender = get_blender_connection()
result = blender.send_command("execute_code", {"code": code})
return f"Code executed successfully: {result.get('result', '')}"
except Exception as e:
logger.error(f"Error executing code: {str(e)}")
return f"Error executing code: {str(e)}"
In the execute_blender_code tool, the code parameter is required and provided directly by the MCP client. This parameter is forwarded to the Blender addon via send_command("execute_code", {"code": code}) without any sanitization, thus enabling arbitrary code execution.
Version: Latest
File: /addon.py
def execute_code(self, code):
"""Execute arbitrary Blender Python code"""
# This is powerful but potentially dangerous - use with caution
try:
# Create a local namespace for execution
namespace = {"bpy": bpy}
# Capture stdout during execution, and return it as result
capture_buffer = io.StringIO()
with redirect_stdout(capture_buffer):
exec(code, namespace)
captured_output = capture_buffer.getvalue()
return {"executed": True, "result": captured_output}
except Exception as e:
raise Exception(f"Code execution error: {str(e)}")
In the execute_code method of the addon, the code string is passed directly to Python's built-in exec() function. Although the execution namespace only explicitly includes bpy, exec() runs with full Python capabilities — an attacker can import any module (os, subprocess, socket, etc.) and execute arbitrary system commands with the privileges of the Blender process.
In the source code of the tool execute_blender_code, we found a call to send_command("execute_code", ...) which routes to the execute_code handler in the addon. This means that this tool directly introduces the security risk. |
|---|
| Источник | ⚠️ https://github.com/ahujasid/blender-mcp/issues/201 |
|---|
| Пользователь | skywings (UID 98274) |
|---|
| Представление | 15.05.2026 08:54 (20 дни назад) |
|---|
| Модерация | 02.06.2026 17:31 (18 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 367958 [ahujasid blender-mcp до 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b server.py execute_blender_code эскалация привилегий] |
|---|
| Баллы | 20 |
|---|