CVE-2026-10661: Input Injection in blender-mcp — MEDIUM Severity Authentication Required
A vulnerability in the blender-mcp project allows an authenticated attacker to inject malicious input through the input_image_url parameter in the Open function of src/blender_mcp/server.py. Because authentication is required and the vulnerability only exposes limited information (not enabling code execution or system availability impact), the overall risk is moderate. However, the public disclosure means exploitation techniques are now accessible to threat actors.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-707, CWE-74
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
A vulnerability has been found in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. Impacted is the function Open of the file src/blender_mcp/server.py. The manipulation of the argument input_image_url leads to injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The identifier of the patch is 5b37be25242e73dc4cf1328974d30458b9e5d67e. To fix this issue, it is recommended to deploy a patch.
8 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10661 is an injection vulnerability in ahujasid/blender-mcp affecting versions up to commit 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. The vulnerability exists in the Open function where the input_image_url argument is processed without sufficient sanitization, allowing injection of arbitrary payloads. The affected project uses a rolling release model without traditional versioning, but patch commit 5b37be25242e73dc4cf1328974d30458b9e5d67e addresses the issue. The CVSS v3.1 score of 4.3 (MEDIUM) reflects that exploitation requires authenticated access (PR:L) and results in confidentiality impact only (C:L), with no integrity or availability compromise.
Business impact
Organizations using blender-mcp in production workflows face potential data exposure if authenticated users either maliciously or inadvertently trigger the injection flaw. While the vulnerability does not enable direct code execution or denial of service, the information disclosure risk could expose sensitive parameters, configuration details, or intermediate processing data. For teams integrating blender-mcp into automated pipelines or multi-tenant environments, this vulnerability warrants prompt remediation to prevent credential or configuration leakage.
Affected systems
The blender-mcp project, maintained by ahujasid, is affected up to and including commit 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. Because the project follows a rolling release model without discrete version numbers, operators must compare their deployed commit hash against the vulnerable boundary and patch commit. Any installation deployed from the vulnerable commit range is at risk; no specific version numbers are published by the vendor.
Exploitability
The vulnerability requires authenticated access (CVSS PR:L), meaning an attacker must have valid credentials to the blender-mcp instance. The network-accessible nature (AV:N) and low attack complexity (AC:L) mean that any authenticated user can attempt exploitation without special tools or conditions. Public disclosure has already occurred, making this vulnerability visible to potential adversaries. However, the lack of direct code execution or system compromise limits the attractiveness for mass exploitation compared to higher-impact flaws.
Remediation
Deploy patch commit 5b37be25242e73dc4cf1328974d30458b9e5d67e or later to remediate the injection vulnerability. Since blender-mcp uses continuous delivery, verify that your current deployment includes the patched commit. Input validation and sanitization have been improved in the patched version to prevent malicious input_image_url values from being processed. Organizations should also review audit logs for any suspicious image URL submissions prior to patching.
Patch guidance
To remediate, pull the latest version of the blender-mcp repository and verify that your deployment commit is at or after 5b37be25242e73dc4cf1328974d30458b9e5d67e. If using a pinned version from before this commit, update to a newer commit hash. The project does not issue traditional version numbers, so commit-based tracking is necessary. Test the patched build in a non-production environment to ensure compatibility with your workflow before deploying to production instances.
Detection guidance
Monitor for unusual or malformed image URL submissions to the Open function in blender-mcp, particularly from authenticated accounts that do not typically interact with image processing. Look for URL patterns that include escape sequences, SQL injection attempts, command substitution syntax, or references to unexpected external hosts. Review application logs for error messages related to URL parsing or processing failures that may indicate injection attempts. Network monitoring can flag suspicious requests to unexpected external resources triggered by the input_image_url parameter.
Why prioritize this
Although this vulnerability carries a moderate CVSS score, its public disclosure and the requirement for authentication make it a lower immediate threat than critical exploits. However, organizations with multi-user blender-mcp deployments, particularly those handling sensitive data or configurations, should prioritize patching to prevent insider or compromised-account data exposure. The lack of KEV inclusion reflects that federal agencies do not currently consider this among the highest-risk public vulnerabilities, but private sector risk appetite may differ.
Risk score, explained
The CVSS v3.1 score of 4.3 reflects a scenario where an authenticated attacker can exploit the injection flaw to gain limited information disclosure (C:L). The requirement for authentication (PR:L) and absence of integrity (I:N) or availability (A:N) impact prevent a higher score. Network accessibility (AV:N) and low attack complexity (AC:L) provide modest uplift. This is a solid MEDIUM rating—not negligible, but not an emergency requiring immediate shutdown of systems. Organizations must balance this risk against operational disruption from patching.
Frequently asked questions
Does this vulnerability allow remote code execution?
No. The CVSS vector and vulnerability description indicate information disclosure only (C:L with I:N, A:N). Exploitation does not enable code execution or system compromise, though attackers may extract sensitive data.
Can an unauthenticated attacker exploit this?
No. The vulnerability requires authenticated access (PR:L). Attackers must have valid credentials to the blender-mcp instance. However, compromised or insider accounts pose the primary risk.
How do I check if my deployment is vulnerable?
Compare your deployed commit hash against the vulnerable boundary (up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b). If your commit is before patch 5b37be25242e73dc4cf1328974d30458b9e5d67e, you are vulnerable. Use 'git log --oneline' to confirm your current deployment's commit.
Is there a workaround if I cannot immediately patch?
Restrict API access to trusted internal networks, implement input validation at the application layer to reject malformed URLs, and monitor for suspicious image URL submissions. These are temporary measures; patching should be prioritized.
This analysis is provided for informational purposes to assist security decision-making. The vulnerability details, CVSS scoring, and patch information reflect data published as of June 2026. Organizations should verify patch applicability and test in non-production environments before deployment. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this information. Always consult official vendor advisories and security bulletins for the authoritative remediation guidance. Exploitation of vulnerabilities may be illegal; use this information only for authorized defensive purposes within your organization. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10210MEDIUMAstrBot 4.23.6 Prompt Injection Vulnerability
- CVE-2026-10222MEDIUMNousResearch hermes-agent Environment Variable Injection Vulnerability
- CVE-2026-10223MEDIUMNousResearch hermes-agent Injection Vulnerability – Exploit Available
- CVE-2026-10220HIGHNousResearch hermes-agent Injection Vulnerability – Patch Guidance
- CVE-2026-10221HIGHNousResearch hermes-agent Remote Code Injection Vulnerability
- CVE-2026-10060MEDIUMTRENDnet TEW-432BRP Command Injection—End-of-Life Router Vulnerability
- CVE-2026-10061MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Remediation via Replacement
- CVE-2026-10127MEDIUMEdimax BR-6478AC Command Injection in Firmware 1.23