Lumiverse’s MCP server creation endpoint, before version 0.9.7, validates the command field against an allowlist but forwards the accompanying arguments array to the spawned child process without any validation. Each allowed binary in the list accepts an inline-code execution flag (-e for node/bun, -c for python3/deno), giving any logged‑in user the ability to execute arbitrary OS commands on the Lumiverse host. Because the route only requires basic authentication and the server bypasses host‑header rebinding checks, an attacker can exploit this flaw from any machine with network access to the server’s port. The result is full system compromise via remote code execution.

The vulnerability affects the Lumiverse AI chat application developed by prolix-oc. Any release prior to version 0.9.7 is susceptible. Users deploying Lumiverse versions 0.9.6 and earlier, or any earlier iteration, should be aware that both the MCP server creation endpoint and the host‑binding configuration expose the server to this exploitation vector.

The CVSS score of 9.9 indicates a critical impact, while the EPSS score is currently not available, implying that exploitation risk is not quantifiable at this time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires network connectivity to the Lumiverse server and possession of valid user credentials, but does not depend on owner-level privileges. Because the server binds to all interfaces and the host-header check can be trivially bypassed, any networked attacker can trigger the flaw. Once executed, the attacker gains unrestricted operating‑system level control over the server.