TokenTalks
← Back to feed

New capability:

[HIGH] GHSA-22qr-rp27-j9wm: PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE

GitHub Security Advisory·Security·SecurityFix·5/19/2026

### Summary The MCP module's `ReplServer` binds to all interfaces (`0.0.0.0:4403`) and exposes a `/execute` endpoint that runs arbitrary code with zero authentication. Anyone on the network can POST JavaScript and it runs on the server. The main `PenpotMcpServer` was partially fixed for a similar b

Why it mattersNew functionality is available in @penpot/mcp. May enable simpler implementations or replace external dependencies.

Who should careTeams already using @penpot/mcp or evaluating it.

@penpot/mcpdockertypescriptnode.js
View original source ↗

Source payload preview

{
  "ghsaId": "GHSA-22qr-rp27-j9wm",
  "summary": "PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE",
  "severity": "HIGH",
  "updatedAt": "2026-05-19T19:57:37Z",
  "references": [
    {
      "url": "https://github.com/penpot/penpot/security/advisories/GHSA-22qr-rp27-j9wm"
    },
    {
      "url": "https://github.com/advisories/GHSA-22qr-rp27-j9wm"
    }
  ],
  "description": "### Summary\n\nThe MCP module's `ReplServer` binds to all interfaces (`0.0.0.0:4403`) and exposes a `/execute` endpoint that runs arbitrary code with zero authentication. Anyone on the network can POST JavaScript and it runs on the server. The main `PenpotMcpServer` was partially fixed for a similar binding issue (#8683), but `ReplServer.ts` was missed.\n\n### Details\n\n`mcp/pac