Cyber Resilience

CVE-2026-33057

CriticalRCE

Published: 20 March 2026

Published
20 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0529 91.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33057 is a critical-severity Code Injection (CWE-94) vulnerability in Mesop-Dev Mesop. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-33057 is an unrestricted remote code execution vulnerability (CWE-94) in Mesop, a Python-based UI framework for building web applications. It affects versions 1.2.2 and below, specifically within the ai/ testing module infrastructure. The vulnerable component is a lightweight debugging Flask server in ai/sandbox/wsgi_app.py, which exposes an /exec-py web endpoint that directly ingests untrusted Python code strings via base64-encoded payloads in the 'code' parameter of POST requests, without any authentication. The server saves the code to the filesystem and executes it recursively using execute_module(module_path...), enabling full host compromise. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Attackers require only network access to the affected Mesop server instance running the debugging endpoint. Exploitation involves sending a simple POST request to /exec-py with a base64-encoded Python payload, which is unconditionally evaluated and executed on the host machine. Successful exploitation grants arbitrary command execution rights, allowing attackers to achieve complete control over the server, including data exfiltration, persistence, or further lateral movement.

The vulnerability has been addressed in Mesop version 1.2.3. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory (https://github.com/mesop-dev/mesop/security/advisories/GHSA-gjgx-rvqr-6w6v) and the fixing commit (https://github.com/mesop-dev/mesop/commit/825f55970c20686de3f28e2c66df4d74e9d4db47).

This issue is noteworthy in AI/ML development contexts, as the vulnerable endpoint is part of Mesop's AI sandbox testing infrastructure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Mesop is a Python-based UI framework that allows users to build web applications. In versions 1.2.2 and below, an explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard…

more

Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block will gain explicit host-machine command rights. The AI codebase package includes a lightweight debugging Flask server inside ai/sandbox/wsgi_app.py. The /exec-py route accepts base_64 encoded raw string payloads inside the code parameter natively evaluated by a basic POST web request. It saves it rapidly to the operating system logic path and injects it recursively using execute_module(module_path...). This issue has been fixed in version 1.2.3.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

The vulnerability is an unauthenticated RCE in a public-facing web endpoint of a Python framework's debugging server, directly enabling exploitation of public-facing applications (T1190) via execution of arbitrary Python code (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33054Same product: Mesop-Dev Mesop
CVE-2026-34824Same product: Mesop-Dev Mesop
CVE-2025-0185Shared CWE-94
CVE-2026-33873Shared CWE-94
CVE-2026-27966Shared CWE-94
CVE-2026-41138Shared CWE-94
CVE-2025-53890Shared CWE-94
CVE-2026-39891Shared CWE-94
CVE-2024-57609Shared CWE-94
CVE-2026-7466Shared CWE-94

Affected Assets

mesop-dev
mesop
≤ 1.2.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authentication and authorization mechanisms on the /exec-py endpoint to block unauthorized remote code execution from untrusted POST requests.

prevent

Restricts the Mesop system to least functionality by disabling or removing the unnecessary debugging Flask server and its unrestricted code execution endpoint in production environments.

prevent

Remediates the specific RCE flaw in Mesop versions 1.2.2 and below by applying patches such as upgrading to version 1.2.3 where the vulnerable endpoint is secured.

References