GHSA-22qr-rp27-j9wm: PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE
highvulnerability
security
Summary
PenPot's MCP REPL server binds to all network interfaces (0.0.0.0:4403) and exposes an unauthenticated /execute endpoint that runs arbitrary JavaScript code, allowing anyone on the network to achieve RCE (remote code execution, where an attacker can run commands on a system they don't own). The vulnerability exists because the server listen call omits a host argument, defaulting to 0.0.0.0, and the /execute endpoint has no authentication checks before executing user-supplied code.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
May 19, 2026
Classification
Attack Type
Other
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Affected Vendors
Affected Packages
@penpot/mcp@< 2.15.0 (fixed: 2.15.0)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-22qr-rp27-j9wm
First tracked: May 19, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%