CVE-2026-30352
LeonVanzyl · Autocoder
A remote code execution vulnerability exists in the Autocoder `/devserver/start` endpoint, allowing arbitrary code execution via a crafted command parameter.
Executive summary
An unauthenticated remote code execution vulnerability in the LeonVanzyl Autocoder development server allows attackers to execute arbitrary commands on the host machine.
Vulnerability
The vulnerability is a command injection flaw located in the /devserver/start endpoint. An attacker can provide a maliciously crafted command parameter that is processed by the underlying system without sufficient validation, leading to unauthorized code execution.
Business impact
Rated at 9.8, this RCE vulnerability poses a critical threat to the confidentiality, integrity, and availability of any system running the affected Autocoder commit. Attackers can gain full control over the host environment, leading to data theft, lateral movement within the network, or permanent system disruption.
Remediation
Immediate Action: Discontinue use of the vulnerable commit immediately and restrict network access to the /devserver/start endpoint until a secure update is provided.
Proactive Monitoring: Review web server and application access logs for unusual requests targeting the /devserver/start path and monitor for suspicious child processes spawned by the application.
Compensating Controls: Implement strict network-level segmentation or a reverse proxy with path-based filtering to block all access to the /devserver/ directory from external or untrusted internal networks.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the simplicity of the attack vector, this vulnerability should be treated as an emergency. Users should verify their current deployment against the affected commit and isolate the service until a verified fix is released by the maintainer.