CVE-2026-10691: ReDoS Vulnerability in DesktopCommanderMCP Search Manager
A vulnerability in wonderwhy-er DesktopCommanderMCP through version 0.2.38 allows an authenticated user to trigger a denial-of-service condition by crafting malicious search result data that causes inefficient regular expression processing. The flaw is in the search-manager component and can be exploited remotely by any logged-in user. The vendor has released version 0.2.39 with a fix.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-1333, CWE-400
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
A security flaw has been discovered in wonderwhy-er DesktopCommanderMCP up to 0.2.38. This impacts an unknown function of the file src/search-manager.ts of the component start_search. Performing a manipulation of the argument SearchResult[] results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 0.2.39 will fix this issue. The patch is named 4ce845f8749b6a159b57b38dcc3357f7222a8078. It is suggested to upgrade the affected component.
9 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10691 is a ReDoS (Regular Expression Denial of Service) vulnerability affecting the start_search function in src/search-manager.ts of DesktopCommanderMCP. The vulnerability stems from improper handling of SearchResult[] arguments, leading to catastrophic backtracking in regex evaluation. An authenticated attacker can manipulate search result parameters to cause excessive CPU consumption and application unavailability. The CVSS 3.1 score of 4.3 (MEDIUM) reflects network accessibility but requires prior authentication and impacts only availability.
Business impact
This vulnerability enables authenticated users to disrupt service availability through resource exhaustion attacks. While the attack requires valid credentials, it can be weaponized to create operational disruptions, degrade application responsiveness, or cause temporary outages. Organizations relying on DesktopCommanderMCP for critical search operations may experience service interruptions, though confidentiality and integrity remain unaffected. The public availability of exploit code increases likelihood of opportunistic attacks.
Affected systems
wonderwhy-er DesktopCommanderMCP versions up to and including 0.2.38 are affected. The vulnerability is resolved in version 0.2.39. Any deployment using versions prior to 0.2.39 should be considered at risk, particularly if accessible to multiple internal users or untrusted authenticated accounts.
Exploitability
This vulnerability has moderate exploitability. It requires network access and valid authentication credentials, but no special privileges. The attack vector is straightforward—an authenticated user supplies crafted search parameters that trigger regex backtracking. Public exploit code is available, lowering the barrier to entry for attackers. However, the necessity of authentication and the straightforward nature of detection (observable CPU/performance impact) limit widespread abuse.
Remediation
Upgrade DesktopCommanderMCP to version 0.2.39 or later, which includes commit 4ce845f8749b6a159b57b38dcc3357f7222a8078 resolving the regex complexity issue. Organizations should prioritize this upgrade for systems exposed to untrusted authenticated users. Until patching is complete, implement input validation on search parameters and monitor for unusually high CPU consumption during search operations.
Patch guidance
Update to DesktopCommanderMCP version 0.2.39 immediately. The patch directly addresses the inefficient regex in the search-manager component. Verify the applied patch includes commit 4ce845f8749b6a159b57b38dcc3357f7222a8078 to confirm proper remediation. Test search functionality after upgrade to ensure no regression. For environments where immediate upgrade is not feasible, temporarily restrict access to the search function or apply compensating controls such as regex timeout policies at the application or system level.
Detection guidance
Monitor for indicators of exploitation: sustained elevated CPU usage coinciding with search API calls, repeated search requests with unusual parameter patterns, or performance degradation specifically in the search-manager component. Check application logs for high-frequency search_start events or malformed SearchResult[] inputs. Network monitoring can detect patterns of repeated search requests from authenticated sessions. Consider alerting on regex timeout exceptions if your runtime supports them. Post-patch, validation testing should confirm regex performance returns to baseline.
Why prioritize this
This vulnerability merits prompt but not emergency remediation. The MEDIUM severity reflects genuine availability risk, but authentication requirements and lack of KEV designation limit its criticality tier. Organizations should schedule patching within 2–4 weeks, prioritizing systems with high-availability requirements or exposure to lower-trust user bases. The public exploit code justifies accelerating from standard timelines but does not mandate immediate action for well-segmented environments.
Risk score, explained
The CVSS 3.1 score of 4.3 reflects the combination of network accessibility (AV:N), low attack complexity (AC:L), and requirement for low privileges (PR:L). No user interaction is required (UI:N), and the impact is scoped to availability (A:L). The score correctly omits confidentiality and integrity concerns. The score is proportionate—this is a legitimate availability risk that does not rise to high severity due to authentication and denial-of-service scope limitations.
Frequently asked questions
Can this vulnerability be exploited without authentication?
No. The vulnerability requires valid credentials to access the search function. An attacker must have an authenticated session to manipulate the SearchResult[] parameters. This significantly restricts the attack surface compared to unauthenticated vulnerabilities.
What is the actual impact if exploited—does it cause data loss?
No. The attack only affects availability through resource exhaustion; it does not compromise data integrity or confidentiality. The application may become slow or unresponsive, but no data is stolen, modified, or deleted. Service restoration typically occurs after the malicious search completes or times out.
Why is this in the news if it requires login and only causes DoS?
Public exploit code lowers the barrier for attackers to weaponize the vulnerability. Additionally, in environments with many users or shared accounts, an insider or compromised credential increases the risk of opportunistic attacks. The MEDIUM severity is appropriate but not trivial for production systems.
Can I work around this without upgrading immediately?
Partial mitigations include restricting search function access to trusted users, implementing request rate limiting on search endpoints, setting aggressive regex timeout policies, and monitoring for CPU spikes. However, these are temporary controls. Upgrading to version 0.2.39 is the only permanent fix.
This analysis is based on information available as of the published date and should not be considered a substitute for vendor advisories or security assessments specific to your environment. CVSS scores, affected versions, and patch details are sourced from the vulnerability record and should be verified against the official wonderwhy-er DesktopCommanderMCP advisory before remediation decisions. SEC.co makes no warranty regarding the completeness or accuracy of exploitation scenarios described. Organizations are responsible for assessing applicability to their infrastructure and conducting testing before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10291MEDIUMReDoS in Enderfga claw-orchestrator validateRegex—Security Update
- CVE-2026-10692MEDIUMReDoS Vulnerability in code-index-mcp Up to 2.14.0 – Patch Available
- CVE-2019-25721MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability – Network-Induced Device Reboots
- CVE-2019-25724MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability Impact on Patient Monitoring
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0042MEDIUMAndroid UBSan Resource Exhaustion Denial of Service
- CVE-2026-0069MEDIUMAndroid Resource Exhaustion in APK Signature Verification
- CVE-2026-0074MEDIUMAndroid LauncherProcessImageListener Denial of Service Vulnerability