CVE-2026-44450
Description
Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without any validation. Every binary on the allowlist accepts an inline-code execution flag (-e for node/bun, -c for python3/deno), giving any logged-in user arbitrary OS-level code execution on the Lumiverse server. The route requires only requireAuth (not requireOwner). The server binds on all interfaces (::) and the host-header rebinding check is bypassed trivially by any HTTP client that sends Host: localhost: directly, making this exploitable from any machine with network access to the server port. This vulnerability is fixed in 0.9.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Any authenticated user can achieve OS-level RCE on Lumiverse servers <0.9.7 via the MCP server creation endpoint by injecting arbitrary code through the args field of stdio transports.
Vulnerability
In Lumiverse versions prior to 0.9.7, the MCP server creation endpoint (POST /api/v1/mcp-servers) validates the command field against an allowlist of binary names (e.g., node, bun, python3, deno) but forwards the args array to the child process without any validation [1]. Every binary on the allowlist accepts an inline-code execution flag (-e for node/bun, -c for python3/deno), which means an attacker can pass arbitrary code as an argument. The route only requires the requireAuth middleware (not requireOwner), so any logged-in user can trigger this behavior. Additionally, the server binds on all interfaces (::) and the host-header rebinding check can be bypassed by any HTTP client that sends Host: localhost: directly, making the endpoint reachable from any machine with network access to the server port [1].
Exploitation
An attacker must have a valid session cookie for any authenticated Lumiverse user. The attacker then sends a POST request to /api/v1/mcp-servers with a JSON body that specifies a transport_type of "stdio", a command from the allowlist (e.g., "node"), and args containing the code-execution flag and the attacker's payload (e.g., ["-e", "require('fs').writeFileSync('/tmp/rce_proof.txt','pwned')"]). Following that, a POST to /api/v1/mcp-servers//connect triggers the creation of the child process, executing the arbitrary OS-level command [1]. No special network position is required beyond TCP connectivity to the Lumiverse server port; the host-header bypass makes this directly exploitable from any client.
Impact
Successful exploitation grants the attacker arbitrary OS-level code execution as the Lumiverse server process user. This completely compromises the confidentiality, integrity, and availability of the server and the data it processes. An authenticated user can exfiltrate database contents, modify application files, install backdoors, or pivot to other internal systems. When chained with two other vulnerabilities (not detailed in the available references), an attacker could achieve unauthenticated RCE [1].
Mitigation
The vulnerability is fixed in Lumiverse version 0.9.7 [1]. Users should upgrade all lumiverse-backend installations to version 0.9.7 or later immediately. No workarounds are documented in the available references. Servers running versions 0.9.5 and earlier are affected; there is no indication that the package has reached end-of-life. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation on the args array in MCP server creation allows inline-code execution flags to be passed to allowlisted binaries."
Attack vector
An authenticated attacker sends a POST request to `/api/v1/mcp-servers` with a JSON body containing a valid allowlisted binary (e.g., `node`) in the `command` field and an `args` array that includes the binary's inline-code execution flag (e.g., `-e`) followed by arbitrary OS commands [ref_id=1]. The server then creates a `StdioClientTransport` that spawns the child process with those unvalidated arguments, executing the attacker's code. The route only requires `requireAuth` (not `requireOwner`), so any logged-in user can trigger this. The server binds on all interfaces (`::`), and the host-header rebinding check is trivially bypassed by sending `Host: localhost:
Affected code
The MCP server creation endpoint in `routes/api/v1/mcp-servers` validates the `command` field via `assertStdioCommandAllowed(server.command)` but passes the `args` array directly to `StdioClientTransport` without any validation [ref_id=1]. The `args` array is forwarded to the child process as-is, allowing arbitrary arguments to be injected alongside any allowlisted binary.
What the fix does
The advisory states the vulnerability is fixed in version 0.9.7 but does not include a patch diff [ref_id=1]. The fix would need to either validate each element in the `args` array against an allowlist, or disallow dangerous flags such as `-e` and `-c` that enable inline code execution. Alternatively, the fix could restructure the transport to avoid passing user-supplied arguments directly to the child process.
Preconditions
- authAttacker must have a valid authenticated session (any logged-in user, not necessarily the owner)
- networkAttacker must have network access to the Lumiverse server port (server binds on all interfaces)
- inputAttacker must send HTTP requests with Host header set to localhost: to bypass host-header rebinding check
Reproduction
1. Obtain a valid session cookie by authenticating to the Lumiverse server. 2. Send a POST request to `/api/v1/mcp-servers` with `Cookie: better-auth.session_token=
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.