Executive Summary
CVE-2026-30352 is a critical remote code execution (RCE) vulnerability in leonvanzyl/autocoder, an AI-assisted coding tool hosted on GitHub. The flaw resides in the /devserver/start HTTP endpoint, which accepts a command parameter that is passed to the OS shell without sanitization. Any attacker with network access to the development server can execute arbitrary commands on the underlying host.
The vulnerability carries a CVSS score of 9.8 (Critical) and requires no authentication, no user interaction, and minimal attack complexity. Organizations or individuals running the affected commit should disable the dev server or apply the fix immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-30352 |
| CVSS Score | 9.8 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-78 — Improper Neutralization of Special Elements used in an OS Command |
| Type | Remote Code Execution via OS Command Injection |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Patch Available | Check upstream repository |
| NVD Published | 2026-04-27 |
Affected Versions
| Product | Affected | Fixed |
|---|---|---|
| leonvanzyl/autocoder | commit 79d02a and earlier | Check upstream for patch |
Technical Analysis
What Is Autocoder?
autocoder (leonvanzyl/autocoder) is an open-source AI-assisted coding and code generation tool. Projects of this type typically expose local HTTP development server endpoints to facilitate real-time interaction between the IDE, the local AI inference layer, and developer tooling. The /devserver/start endpoint is part of this local service layer.
The Vulnerability
The /devserver/start endpoint accepts a command parameter via an HTTP request. The server-side implementation takes the value of this parameter and concatenates it directly into a shell invocation without any sanitization, allowlisting, or parameterized subprocess call. This is a classic OS command injection (CWE-78) pattern.
Because no input filtering is applied, an attacker can append shell metacharacters (;, &, |, $()) to inject additional commands. The injected payload executes with the same privileges as the autocoder dev server process.
Attack Flow
1. Attacker identifies a host running leonvanzyl/autocoder dev server (default port exposed)
2. Attacker sends HTTP request to /devserver/start with a crafted command parameter
3. Server passes the unsanitized parameter to the OS shell
4. Attacker achieves arbitrary code execution with the privileges of the running process
5. From there: data exfiltration, persistence, lateral movement, or supply chain injectionWhy CVSS 9.8
| Metric | Value | Reason |
|---|---|---|
| No authentication | PR:N | The endpoint requires no credentials |
| No user interaction | UI:N | Fully automated exploitation |
| Network-reachable | AV:N | Any host with network access to the dev server is at risk |
| Full C/I/A impact | H/H/H | Arbitrary command execution yields complete host compromise |
Impact Assessment
| Impact Area | Description |
|---|---|
| Developer Host Compromise | Full RCE on the developer's machine running autocoder |
| Source Code Theft | Attacker gains access to all code and credentials in the working directory |
| Supply Chain Risk | Compromised developer machine can be used to inject malicious code into repositories |
| Credential Exposure | SSH keys, API tokens, cloud credentials, and .env files may be exfiltrated |
| Persistence | Attacker can install backdoors or SSH keys for continued access |
| Lateral Movement | Access to developer machine enables targeting of internal networks and CI/CD pipelines |
Risk Context: AI Dev Tools as Attack Surface
AI-assisted coding tools running local HTTP servers represent an emerging attack surface. Developer machines typically hold privileged access to:
- Source code repositories and signing keys
- Cloud provider credentials (AWS, GCP, Azure)
- Internal infrastructure credentials (databases, CI/CD tokens)
- Customer data in local development environments
A single RCE on a developer machine can enable supply chain attacks far exceeding the initial scope of the vulnerability.
Remediation
Immediate Actions
- Stop the autocoder dev server if it is not actively needed
- Restrict network access — ensure the dev server binds to
127.0.0.1only, not0.0.0.0 - Check the upstream repository for a patched commit and update immediately
- Audit your development machine for signs of unauthorized access if the server was publicly reachable
Firewall Mitigation (Linux)
# Block external access to the dev server port (adjust port as needed)
sudo ufw deny from any to any port <devserver_port>
sudo ufw allow from 127.0.0.1 to any port <devserver_port>Secure Dev Server Binding
If you operate the server, ensure it binds to localhost only:
# Secure pattern — bind to loopback only
app.run(host="127.0.0.1", port=<port>)Secure Command Execution (Fix Pattern)
The underlying fix requires replacing direct shell string interpolation with a parameterized subprocess call using subprocess.run with a list of arguments rather than a shell string. This prevents any injected metacharacters from being interpreted by the shell.
Detection Indicators
| Indicator | Description |
|---|---|
Unexpected HTTP requests to /devserver/start from non-localhost IPs | Exploitation attempt |
| Shell metacharacters in request logs (`; & | `) |
| Unusual child processes spawned by the dev server process | Successful exploitation |
| New files, cron jobs, or SSH keys on developer machine | Post-exploitation persistence |
| Outbound connections to unknown IPs from developer host | Data exfiltration or C2 beaconing |
Post-Remediation Checklist
- Update autocoder to a patched version as soon as one is available
- Bind all dev servers to
127.0.0.1— never expose them on0.0.0.0 - Audit web server logs for suspicious requests to
/devserver/start - Rotate any credentials that may have been accessible on the compromised machine
- Review recent repository commits for unexpected changes if the machine was reachable
- Scan for persistence artifacts (new cron jobs, SSH keys, scheduled tasks)
- Network-segment developer machines from production infrastructure where possible