CVE-2026-33057
Published: 20 March 2026
Summary
CVE-2026-33057 is a critical-severity Code Injection (CWE-94) vulnerability in Mesop-Dev Mesop. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-33057 is an unrestricted remote code execution vulnerability (CWE-94) in Mesop, a Python-based UI framework for building web applications. It affects versions 1.2.2 and below, specifically within the ai/ testing module infrastructure. The vulnerable component is a lightweight debugging Flask server in ai/sandbox/wsgi_app.py, which exposes an /exec-py web endpoint that directly ingests untrusted Python code strings via base64-encoded payloads in the 'code' parameter of POST requests, without any authentication. The server saves the code to the filesystem and executes it recursively using execute_module(module_path...), enabling full host compromise. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Attackers require only network access to the affected Mesop server instance running the debugging endpoint. Exploitation involves sending a simple POST request to /exec-py with a base64-encoded Python payload, which is unconditionally evaluated and executed on the host machine. Successful exploitation grants arbitrary command execution rights, allowing attackers to achieve complete control over the server, including data exfiltration, persistence, or further lateral movement.
The vulnerability has been addressed in Mesop version 1.2.3. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory (https://github.com/mesop-dev/mesop/security/advisories/GHSA-gjgx-rvqr-6w6v) and the fixing commit (https://github.com/mesop-dev/mesop/commit/825f55970c20686de3f28e2c66df4d74e9d4db47).
This issue is noteworthy in AI/ML development contexts, as the vulnerable endpoint is part of Mesop's AI sandbox testing infrastructure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13618
Vulnerability details
Mesop is a Python-based UI framework that allows users to build web applications. In versions 1.2.2 and below, an explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard…
more
Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block will gain explicit host-machine command rights. The AI codebase package includes a lightweight debugging Flask server inside ai/sandbox/wsgi_app.py. The /exec-py route accepts base_64 encoded raw string payloads inside the code parameter natively evaluated by a basic POST web request. It saves it rapidly to the operating system logic path and injects it recursively using execute_module(module_path...). This issue has been fixed in version 1.2.3.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated RCE in a public-facing web endpoint of a Python framework's debugging server, directly enabling exploitation of public-facing applications (T1190) via execution of arbitrary Python code (T1059.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces authentication and authorization mechanisms on the /exec-py endpoint to block unauthorized remote code execution from untrusted POST requests.
Restricts the Mesop system to least functionality by disabling or removing the unnecessary debugging Flask server and its unrestricted code execution endpoint in production environments.
Remediates the specific RCE flaw in Mesop versions 1.2.2 and below by applying patches such as upgrading to version 1.2.3 where the vulnerable endpoint is secured.