Code Runner MCP Server Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability has been identified in Code Runner MCP Server. This issue arises when the server is run with the '--transport http' option, which exposes the '/mcp' JSON-RPC endpoint on port 3088 without authentication. An unauthenticated remote attacker can use the 'run-code' MCP tool to send arbitrary source code, which is then executed via 'child_process.exec()' using the specified language interpreter. This vulnerability allows execution of arbitrary code with the same privileges as the user running the server. It is present in all versions of Code Runner MCP Server and has not been fixed.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed code running under the user's privileges.

Added: May 12, 2026, 10:25 AM

Updated: May 12, 2026, 10:25 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

8.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

8.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Code Runner MCP Server Remote Code Execution Vulnerability

Vulnerability

Impact

Affected Products

Code Runner MCP Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating