CVE-2026-5029

UNKNOWN 0.0

RCE in Code Runner MCP Server

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088. An unauthenticated remote attacker can invoke the run-code MCP tool to supply arbitrary source code and execute it via child_process.exec() using the specified language interpreter. This allows execution of arbitrary code with the privileges of the user running the server. This vulnerability has not been fixed and might affect the project in all versions.

CWE	CWE-306
Vendor	code runner mcp server
Product	code runner mcp server
Published	May 12, 2026
Last Updated	May 12, 2026

Stay Ahead of the Next One

Get instant alerts for code runner mcp server code runner mcp server

Be the first to know when new unknown vulnerabilities affecting code runner mcp server code runner mcp server are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Code Runner MCP Server / Code Runner MCP Server

0 ≤ *

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cert.pl: https://cert.pl/en/posts/2026/05/CVE-2026-5029

Credits

Eryk Winiarz