CVE-2026-23523
Published: 16 January 2026
Summary
CVE-2026-23523 is a critical-severity Code Injection (CWE-94) vulnerability in Openagentplatform Dive. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces validation of deeplink inputs to prevent processing of crafted links that install attacker-controlled MCP server configurations without sufficient user confirmation.
Requires timely remediation of the specific flaw in Dive versions prior to 0.13.0 via patching, directly eliminating the vulnerability to deeplink-based code injection.
Deploys malicious code protection mechanisms to block execution of arbitrary local commands enabled by the unauthorized MCP server configuration.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables RCE via malicious deeplink (user execution) leading to arbitrary local command execution through attacker-controlled MCP server config.
NVD Description
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the…
more
victim’s machine. This vulnerability is fixed in 0.13.0.
Deeper analysisAI
CVE-2026-23523 is a high-severity vulnerability in Dive, an open-source MCP Host Desktop Application designed to enable integration with function-calling large language models (LLMs). In versions prior to 0.13.0, the application fails to enforce sufficient user confirmation when processing crafted deeplinks, allowing the installation of an attacker-controlled MCP server configuration. This flaw, classified under CWE-94 (Code Injection), carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
A remote attacker without privileges can exploit this issue by distributing a malicious deeplink, typically via social engineering to induce user interaction such as clicking a link. Upon processing, the deeplink installs the attacker's MCP server configuration, enabling arbitrary local command execution on the victim's machine. This grants the attacker high-impact control over confidentiality, integrity, and availability, with a changed scope due to the privilege escalation from network to local system access.
The vulnerability is addressed in Dive version 0.13.0. Security practitioners should update to this version immediately. Additional details are available in the GitHub security advisory (GHSA-pjj5-f3wm-f9m8) and the patching commit (a5162ac9eff366d8ea1215b8a47139a81a55a779).
This issue holds relevance for AI/ML deployments involving LLM integrations, as Dive facilitates function-calling workflows that could expose desktop environments to remote compromise. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-01-16.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp, mcp