Platform
other
Component
dive
Fixed in
0.13.1
CVE-2026-23523 describes a Remote Code Execution (RCE) vulnerability discovered in Dive, an open-source MCP Host Desktop Application. This flaw allows an attacker to install a malicious MCP server configuration via a crafted deeplink, ultimately leading to arbitrary local command execution on the victim's machine. The vulnerability impacts versions of Dive prior to 0.13.0, and a fix is available in version 0.13.0.
The impact of CVE-2026-23523 is severe. An attacker can exploit this vulnerability to gain complete control over a victim's machine by executing arbitrary commands. This could involve installing malware, stealing sensitive data, or pivoting to other systems on the network. The attack vector, a crafted deeplink, makes this vulnerability particularly concerning as it can be delivered through various channels, such as email or malicious websites, potentially affecting a wide range of users. The ability to install a malicious MCP server configuration without sufficient user confirmation significantly lowers the barrier to exploitation.
CVE-2026-23523 was publicly disclosed on 2026-01-16. The vulnerability's ease of exploitation, combined with the potential for widespread impact, warrants careful attention. No public proof-of-concept (POC) code has been released at the time of this writing, but the vulnerability's nature suggests that a POC is likely to emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-23523 is to immediately upgrade Dive to version 0.13.0 or later. If upgrading is not immediately feasible, consider implementing stricter input validation on deeplinks to prevent the installation of unauthorized MCP server configurations. While a direct workaround is not available, carefully scrutinizing any deeplinks received from untrusted sources is crucial. After upgrading, verify the installation by attempting to launch Dive and confirming that no unexpected processes are running or network connections are established.
Update Dive to version 0.13.0 or later. This version corrects the vulnerability that allows remote code execution through manipulated deep links. The update will prevent an attacker from installing an attacker-controlled MCP server configuration on your machine.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23523 is a critical RCE vulnerability in Dive versions prior to 0.13.0. A crafted deeplink can lead to arbitrary local command execution on a victim's machine.
Yes, if you are using Dive version 0.13.0 or earlier, you are vulnerable to this RCE vulnerability.
Upgrade Dive to version 0.13.0 or later to remediate the vulnerability. If immediate upgrade is not possible, carefully scrutinize deeplinks from untrusted sources.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it may be targeted in the future.
Refer to the Dive project's official website and GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.