Description
A vulnerability has been found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. Impacted is the function Open of the file src/blender_mcp/server.py. The manipulation of the argument input_image_url leads to injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The identifier of the patch is 5b37be25242e73dc4cf1328974d30458b9e5d67e. To fix this issue, it is recommended to deploy a patch.
Published: 2026-06-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves the Open function in the server.py module of ahujasid Blender MCP. Manipulation of the input_image_url argument leads to injection, allowing an attacker to embed malicious code or otherwise alter the program’s normal behavior. This injection can be exploited remotely, giving the attacker the ability to execute unintended commands or code within the context of the server.

Affected Systems

Affected systems are all installations of ahujasid Blender MCP running any release up to commit 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. Because the project follows a rolling‑release model, specific version numbers are not listed; the known patch is identified by commit 5b37be25242e73dc4cf1328974d30458b9e5d67e.

Risk and Exploitability

The CVSS score of 5.3 places this flaw in the moderate severity range. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread automated exploitation is not yet documented. The attack vector is remote, most likely via an exposed HTTP endpoint that invokes the Open function, and it requires the attacker to supply a crafted URL pointing to an image resource that can trigger the injection. Once the injection succeeds, the attacker may gain code execution capability on the host running Blender MCP.

Generated by OpenCVE AI on June 3, 2026 at 03:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the patch corresponding to commit 5b37be25242e73dc4cf1328974d30458b9e5d67e from the ahujasid Blender MCP repository.
  • Validate or sanitize the input_image_url parameter to ensure it contains only allowed URLs and does not allow arbitrary code execution.
  • Restrict access to the Open function or enforce authentication so that only trusted users can invoke it.

Generated by OpenCVE AI on June 3, 2026 at 03:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. Impacted is the function Open of the file src/blender_mcp/server.py. The manipulation of the argument input_image_url leads to injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The identifier of the patch is 5b37be25242e73dc4cf1328974d30458b9e5d67e. To fix this issue, it is recommended to deploy a patch.
Title ahujasid blender-mcp server.py open injection
First Time appeared Ahujasid
Ahujasid blender-mcp
Weaknesses CWE-707
CWE-74
CPEs cpe:2.3:a:ahujasid:blender-mcp:*:*:*:*:*:*:*:*
Vendors & Products Ahujasid
Ahujasid blender-mcp
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ahujasid Blender-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-03T14:07:58.215Z

Reserved: 2026-06-02T15:24:54.547Z

Link: CVE-2026-10661

cve-icon Vulnrichment

Updated: 2026-06-03T13:44:41.276Z

cve-icon NVD

Status : Received

Published: 2026-06-02T22:16:16.477

Modified: 2026-06-02T22:16:16.477

Link: CVE-2026-10661

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T10:54:37Z

Weaknesses