CVE-2026-30352

LeonVanzyl · Autocoder

A remote code execution vulnerability exists in the Autocoder `/devserver/start` endpoint, allowing arbitrary code execution via a crafted command parameter.

Executive summary

An unauthenticated remote code execution vulnerability in the LeonVanzyl Autocoder development server allows attackers to execute arbitrary commands on the host machine.

Vulnerability

The vulnerability is a command injection flaw located in the /devserver/start endpoint. An attacker can provide a maliciously crafted command parameter that is processed by the underlying system without sufficient validation, leading to unauthorized code execution.

Business impact

Rated at 9.8, this RCE vulnerability poses a critical threat to the confidentiality, integrity, and availability of any system running the affected Autocoder commit. Attackers can gain full control over the host environment, leading to data theft, lateral movement within the network, or permanent system disruption.

Remediation

Immediate Action: Discontinue use of the vulnerable commit immediately and restrict network access to the /devserver/start endpoint until a secure update is provided.

Proactive Monitoring: Review web server and application access logs for unusual requests targeting the /devserver/start path and monitor for suspicious child processes spawned by the application.

Compensating Controls: Implement strict network-level segmentation or a reverse proxy with path-based filtering to block all access to the /devserver/ directory from external or untrusted internal networks.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the simplicity of the attack vector, this vulnerability should be treated as an emergency. Users should verify their current deployment against the affected commit and isolate the service until a verified fix is released by the maintainer.