Description
A vulnerability was determined in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. The impacted element is the function execute_blender_code of the file /src/blender_mcp/server.py. This manipulation of the argument code causes code injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-02
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the execute_blender_code function of blender-mcp. An attacker can supply a crafted code argument that is not properly validated, enabling arbitrary code execution via code injection; this inference is based on the description that manipulation of the argument code causes injection. This weakness corresponds to CWE-74 and CWE-94 and can compromise the confidentiality, integrity, and availability of the host system if exploited. The exploit can be performed remotely and has been publicly disclosed, meaning it may be actively used by threat actors.

Affected Systems

The product affected is ahujasid’s blender-mcp project. The vulnerability applies to all releases up to the commit 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b and any subsequent unpatched versions, as the project follows a rolling release strategy. No specific version numbers are provided for remediation, so any current instance of the software may be susceptible until a fix is released.

Risk and Exploitability

With a CVSS score of 5.1 the vulnerability is considered moderate, but the exploit is possible remotely and publicly available. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers who can chain this injection are able to run arbitrary machine‑level code, potentially escalating privileges or installing persistent backdoors. The risk remains present until an official patch is applied or mitigated by operational controls.

Generated by OpenCVE AI on June 3, 2026 at 04:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to a version that includes the fix as soon as it is released.
  • If a fix is not yet available, restrict network access to the blender-mcp service, allowing only trusted IP addresses to reach the server.
  • Implement input validation or sandboxing for the code argument to prevent injection of malicious commands until a proper fix is applied.

Generated by OpenCVE AI on June 3, 2026 at 04:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. The impacted element is the function execute_blender_code of the file /src/blender_mcp/server.py. This manipulation of the argument code causes code injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
Title ahujasid blender-mcp server.py execute_blender_code code injection
First Time appeared Ahujasid
Ahujasid blender-mcp
Weaknesses CWE-74
CWE-94
CPEs cpe:2.3:a:ahujasid:blender-mcp:*:*:*:*:*:*:*:*
Vendors & Products Ahujasid
Ahujasid blender-mcp
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Ahujasid Blender-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-03T12:44:58.705Z

Reserved: 2026-06-02T15:31:41.865Z

Link: CVE-2026-10688

cve-icon Vulnrichment

Updated: 2026-06-03T12:44:55.328Z

cve-icon NVD

Status : Received

Published: 2026-06-02T23:16:34.820

Modified: 2026-06-02T23:16:34.820

Link: CVE-2026-10688

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:45:25Z

Weaknesses