CVE-2026-10688: Code Injection in ahujasid blender-mcp
A code injection vulnerability exists in ahujasid blender-mcp, a tool used for integrating Blender with model context protocol systems. An authenticated attacker can inject and execute arbitrary code by manipulating the 'code' parameter passed to the execute_blender_code function in the server. The vulnerability has been publicly disclosed and exploit code is available. The project uses rolling releases, making it difficult to identify fixed versions; however, the maintainers have been notified but have not yet responded with a patch or mitigation guidance.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-74, CWE-94
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
A vulnerability was determined in ahujasid blender-mcp up to 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b. The impacted element is the function execute_blender_code of the file /src/blender_mcp/server.py. This manipulation of the argument code causes code injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10688 is a remote code injection vulnerability in blender-mcp's /src/blender_mcp/server.py, specifically in the execute_blender_code function. The vulnerability stems from improper validation of the 'code' argument, allowing attackers to inject malicious code that executes in the server process. The CWE classifications (CWE-74: Improper Neutralization of Special Elements in Output, CWE-94: Improper Control of Generation of Code) indicate the root cause is insufficient input sanitization before code evaluation. While the CVSS 3.1 score of 5.5 (MEDIUM) reflects that authentication is required and privilege is limited, the practical impact is significant because an authenticated user—potentially an insider or someone with legitimate system access—can achieve arbitrary code execution.
Business impact
An authenticated user exploiting this vulnerability could execute arbitrary code on a system running blender-mcp, potentially leading to data theft, system compromise, lateral movement within a network, or disruption of Blender-based workflows. Organizations using blender-mcp for automation, rendering pipelines, or collaborative projects should treat this as a priority because the barrier to exploitation is low once an attacker is authenticated. The lack of vendor response increases operational risk for teams dependent on this tool.
Affected systems
ahujasid blender-mcp up to commit 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b is affected. Because the project uses a rolling release strategy, traditional version numbers are not available. Teams must track the repository history to determine whether their deployed instance includes the vulnerable code. Any deployment prior to the commit that fixes the execute_blender_code function validation is at risk.
Exploitability
The vulnerability is exploitable remotely over the network by any authenticated user. Public disclosure and availability of exploit code lower the barrier to abuse. The attack requires authentication but no special privileges, and user interaction is part of the attack vector (CVSS metric UI:R). This combination means an insider threat or compromised user account could weaponize this flaw with minimal complexity. The simplicity of code injection attacks once a foothold exists makes early detection and remediation critical.
Remediation
Immediate actions: (1) Review access controls for blender-mcp systems—limit authentication to trusted users and networks only. (2) Monitor the project's repository and issue tracker for patches or workarounds; since the maintainers have been notified but not yet responded, community-driven fixes or forks may emerge. (3) Consider isolating blender-mcp instances in sandboxed or containerized environments with restricted capabilities to limit blast radius if exploited. (4) Evaluate alternative tools or temporary operational constraints until a fix is available. Teams should avoid upgrading to the latest rolling release blindly without verification that the vulnerability has been patched.
Patch guidance
The vendor has not issued an official patch as of the modification date. Because blender-mcp uses rolling releases, verify against the project's repository and issue tracker to confirm whether the vulnerable code has been removed or hardened. Check the commit history after 2026-06-17 for validation of the execute_blender_code function and input sanitization improvements. Until a confirmed fix is released, treat all deployments running code prior to a verified security commit as vulnerable.
Detection guidance
Monitor network traffic to blender-mcp instances for unusual execute_blender_code requests or abnormal code payloads in the 'code' parameter. Log and alert on any authenticated session that submits code containing suspicious constructs (e.g., import statements for system libraries, os module calls, or subprocess invocations). Endpoint detection should flag unexpected child processes spawned by blender-mcp server processes. Review authentication logs for unusual or privileged account activity immediately before exploitation attempts.
Why prioritize this
Although assigned CVSS 5.5 (MEDIUM), this vulnerability merits high-priority attention due to: (1) public exploit availability reducing time to weaponization, (2) remote exploitability over authenticated channels, (3) arbitrary code execution capability with full server process privileges, (4) lack of vendor response indicating no official timeline for remediation, and (5) rolling release model creating uncertainty about patch status. Teams using blender-mcp for production workflows should treat this as a high-priority operational risk requiring immediate protective measures.
Risk score, explained
The CVSS 3.1 score of 5.5 reflects a MEDIUM severity: remote, unauthenticated barrier (AV:N, AC:L), but requires a logged-in user (PR:L) and user interaction (UI:R). Confidentiality, integrity, and availability impacts are each marked as Low (L). However, the real-world risk is elevated by public exploit availability, the criticality of code execution for system compromise, and the lack of vendor remediation progress. Organizations should treat this as functionally higher-priority than the numeric score suggests.
Frequently asked questions
What is blender-mcp and why should I care about this vulnerability?
Blender-mcp is a tool that integrates Blender (a 3D graphics suite) with Model Context Protocol systems, enabling automated or remote code execution for rendering and graphics workflows. If your organization uses it for automation, rendering pipelines, or collaborative projects, this vulnerability allows authenticated attackers to run arbitrary code on affected systems, potentially compromising data or the wider network.
Do I need to patch immediately, or can I wait for an official release?
The vendor has not yet responded with a patch or timeline. Given public exploit availability, you should implement immediate protective measures: restrict authentication to trusted networks, monitor for suspicious activity, and isolate blender-mcp in sandboxed environments. Monitor the project repository for security updates; do not wait for a formal release if an interim hardening or community patch becomes available.
How can I tell if my blender-mcp deployment is vulnerable?
Check your deployed commit hash against the vulnerable commit 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b and any commits after 2026-06-17 in the project repository. If your deployment pre-dates a verified security fix in the execute_blender_code function, assume it is vulnerable. Contact the project maintainers or monitor their issue tracker for explicit patch confirmation.
What's the difference between CVSS 5.5 (MEDIUM) and the 'high-priority' guidance you're giving?
CVSS 5.5 reflects formal constraints (authentication required, limited scope), but does not fully capture real-world risk factors: public exploits, remote code execution capability, and absent vendor remediation. CVSS is one input; operational context, exploit availability, and business criticality drive prioritization. In this case, the combination warrants treating it as a high-priority operational risk despite the moderate numeric score.
This analysis is based on publicly disclosed information as of June 2026. Exploit code is publicly available; defensive measures are strongly recommended. The vendor has not issued an official patch; all patch guidance herein is advisory and subject to change. Organizations should verify patch applicability directly with the blender-mcp project and conduct testing in non-production environments before deployment. SEC.co assumes no liability for incomplete or evolving vendor responses. Consult your security team and vendor advisories for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10175MEDIUMCode Injection in Aider-AI Aider 0.86.3 – Exploit Available
- CVE-2026-10060MEDIUMTRENDnet TEW-432BRP Command Injection—End-of-Life Router Vulnerability
- CVE-2026-10061MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Remediation via Replacement
- CVE-2026-10127MEDIUMEdimax BR-6478AC Command Injection in Firmware 1.23
- CVE-2026-10153MEDIUMCross-Site Scripting in westboy CicadasCMS Search Function
- CVE-2026-10155MEDIUMSQL Injection in Bdtask Multi-Store Inventory Management System 1.0
- CVE-2026-10166MEDIUMEdimax BR-6478AC Command Injection – Authentication Required
- CVE-2026-10170MEDIUMSQL Injection in code-projects Visitor Management System 1.0