Auth bypass in Code Runner Mcp Server

CVE-2026-5029

A remote code execution vulnerability exists in Code Runner MCP Server when run with the --transport http option, which exposes the /mcp JSON-RPC endpoint without authentication on port 3088. An unauthenticated remote attacker can invoke t…

Vulnerability class: Broken Authentication

EPSS: 0.001 (26.0th percentile) — read the EPSS interpretation.

Affected products

Code Runner Mcp Server — versions 0

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

cvd@cert.pl (third-party-advisory)