Cyber Resilience

CVE-2026-23523

CriticalPublic PoCRCE

Published: 16 January 2026

Published
16 January 2026
Modified
09 February 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0630 92.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23523 is a critical-severity Code Injection (CWE-94) vulnerability in Openagentplatform Dive. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23523 is a high-severity vulnerability in Dive, an open-source MCP Host Desktop Application designed to enable integration with function-calling large language models (LLMs). In versions prior to 0.13.0, the application fails to enforce sufficient user confirmation when processing crafted deeplinks, allowing the installation of an attacker-controlled MCP server configuration. This flaw, classified under CWE-94 (Code Injection), carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

A remote attacker without privileges can exploit this issue by distributing a malicious deeplink, typically via social engineering to induce user interaction such as clicking a link. Upon processing, the deeplink installs the attacker's MCP server configuration, enabling arbitrary local command execution on the victim's machine. This grants the attacker high-impact control over confidentiality, integrity, and availability, with a changed scope due to the privilege escalation from network to local system access.

The vulnerability is addressed in Dive version 0.13.0. Security practitioners should update to this version immediately. Additional details are available in the GitHub security advisory (GHSA-pjj5-f3wm-f9m8) and the patching commit (a5162ac9eff366d8ea1215b8a47139a81a55a779).

This issue holds relevance for AI/ML deployments involving LLM integrations, as Dive facilitates function-calling workflows that could expose desktop environments to remote compromise. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-01-16.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the…

more

victim’s machine. This vulnerability is fixed in 0.13.0.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llms, mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Vulnerability enables RCE via malicious deeplink (user execution) leading to arbitrary local command execution through attacker-controlled MCP server config.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-58176Same product: Openagentplatform Dive
CVE-2025-66580Same product: Openagentplatform Dive
CVE-2026-2287Shared CWE-94
CVE-2026-25807Shared CWE-94
CVE-2026-31040Shared CWE-94
CVE-2025-70364Shared CWE-94
CVE-2025-5120Shared CWE-94
CVE-2026-45374Shared CWE-94
CVE-2026-30741Shared CWE-94
CVE-2026-44717Shared CWE-94

Affected Assets

openagentplatform
dive
≤ 0.13.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation of deeplink inputs to prevent processing of crafted links that install attacker-controlled MCP server configurations without sufficient user confirmation.

prevent

Requires timely remediation of the specific flaw in Dive versions prior to 0.13.0 via patching, directly eliminating the vulnerability to deeplink-based code injection.

preventdetect

Deploys malicious code protection mechanisms to block execution of arbitrary local commands enabled by the unauthorized MCP server configuration.

References