Description
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0.
Published: 2026-01-16
Score: 9.7 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Dive is an open‑source MCP Host Desktop Application that integrates with function‑calling LLMs. Before version 0.13.0 it accepts custom deeplinks that can install an attacker‑controlled MCP server configuration without sufficient user confirmation, allowing an adversary to execute arbitrary local commands on the victim’s machine. The vulnerability is a classic code injection flaw (CWE‑94) and leads to full compromise of the host device.

Affected Systems

The affected product is OpenAgentPlatform’s Dive application, versions older than 0.13.0. No specific installation locations or operating systems are listed, but the vulnerability applies to any deployment of the desktop application that processes external deeplinks.

Risk and Exploitability

The CVSS score of 9.7 indicates critical severity, but the EPSS score of less than 1% suggests current exploitation attempts are unlikely. The vulnerability is not currently listed in the CISA KEV catalog, meaning no confirmed widespread attacks are known at this time. Attackers can exploit the flaw by tricking a user into clicking a crafted deeplink—most likely via malicious email or compromised website—then the application will install the attacker’s MCP server configuration and execute commands on the local machine.

Generated by OpenCVE AI on April 18, 2026 at 16:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dive to version 0.13.0 or later to eliminate the vulnerability
  • Temporarily disable handling of external deeplinks until the patch is applied
  • Audit and remove any automatically installed attacker‑controlled MCP server configurations

Generated by OpenCVE AI on April 18, 2026 at 16:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openagentplatform:dive:*:*:*:*:*:*:*:*

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Openagentplatform
Openagentplatform dive
Vendors & Products Openagentplatform
Openagentplatform dive

Fri, 16 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim’s machine. This vulnerability is fixed in 0.13.0.
Title Dive allows One-click Remote Code Execution through Deep Links for MCP Install
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Openagentplatform Dive
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-16T16:47:34.560Z

Reserved: 2026-01-13T18:22:43.980Z

Link: CVE-2026-23523

cve-icon Vulnrichment

Updated: 2026-01-16T16:47:26.604Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T17:15:54.480

Modified: 2026-02-09T20:45:56.863

Link: CVE-2026-23523

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:15:04Z

Weaknesses