Plateforme
other
Composant
dive
Corrigé dans
0.13.1
CVE-2026-23523 describes a Remote Code Execution (RCE) vulnerability discovered in Dive, an open-source MCP Host Desktop Application. This flaw allows an attacker to install a malicious MCP server configuration via a crafted deeplink, ultimately leading to arbitrary local command execution on the victim's machine. The vulnerability impacts versions of Dive prior to 0.13.0, and a fix is available in version 0.13.0.
The impact of CVE-2026-23523 is severe. An attacker can exploit this vulnerability to gain complete control over a victim's machine by executing arbitrary commands. This could involve installing malware, stealing sensitive data, or pivoting to other systems on the network. The attack vector, a crafted deeplink, makes this vulnerability particularly concerning as it can be delivered through various channels, such as email or malicious websites, potentially affecting a wide range of users. The ability to install a malicious MCP server configuration without sufficient user confirmation significantly lowers the barrier to exploitation.
CVE-2026-23523 was publicly disclosed on 2026-01-16. The vulnerability's ease of exploitation, combined with the potential for widespread impact, warrants careful attention. No public proof-of-concept (POC) code has been released at the time of this writing, but the vulnerability's nature suggests that a POC is likely to emerge. It is not currently listed on the CISA KEV catalog.
Users of Dive, particularly those who frequently interact with external systems or receive deeplinks from untrusted sources, are at risk. Individuals using older, unpatched versions of Dive are especially vulnerable. Those deploying Dive in enterprise environments should prioritize patching to prevent potential compromise.
disclosure
Statut de l'Exploit
EPSS
0.03% (percentile 8%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-23523 is to immediately upgrade Dive to version 0.13.0 or later. If upgrading is not immediately feasible, consider implementing stricter input validation on deeplinks to prevent the installation of unauthorized MCP server configurations. While a direct workaround is not available, carefully scrutinizing any deeplinks received from untrusted sources is crucial. After upgrading, verify the installation by attempting to launch Dive and confirming that no unexpected processes are running or network connections are established.
Mettez à jour Dive à la version 0.13.0 ou ultérieure. Cette version corrige la vulnérabilité qui permet l'exécution de code à distance via des Deep Links manipulés. La mise à jour empêchera un attaquant d'installer une configuration de serveur MCP contrôlée par l'attaquant sur votre machine.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-23523 is a critical RCE vulnerability in Dive versions prior to 0.13.0. A crafted deeplink can lead to arbitrary local command execution on a victim's machine.
Yes, if you are using Dive version 0.13.0 or earlier, you are vulnerable to this RCE vulnerability.
Upgrade Dive to version 0.13.0 or later to remediate the vulnerability. If immediate upgrade is not possible, carefully scrutinize deeplinks from untrusted sources.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests it may be targeted in the future.
Refer to the Dive project's official website and GitHub repository for the latest security advisories and updates.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.