{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23523", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-13T18:22:43.980Z", "datePublished": "2026-01-16T16:29:48.433Z", "dateUpdated": "2026-01-16T16:47:34.560Z"}, "containers": {"cna": {"title": "Dive allows One-click Remote Code Execution through Deep Links for MCP Install", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.7, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-pjj5-f3wm-f9m8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-pjj5-f3wm-f9m8"}, {"name": "https://github.com/OpenAgentPlatform/Dive/commit/a5162ac9eff366d8ea1215b8a47139a81a55a779", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenAgentPlatform/Dive/commit/a5162ac9eff366d8ea1215b8a47139a81a55a779"}], "affected": [{"vendor": "OpenAgentPlatform", "product": "Dive", "versions": [{"version": "< 0.13.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T16:29:48.433Z"}, "descriptions": [{"lang": "en", "value": "Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim\u2019s machine. This vulnerability is fixed in 0.13.0."}], "source": {"advisory": "GHSA-pjj5-f3wm-f9m8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T16:47:10.266349Z", "id": "CVE-2026-23523", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T16:47:34.560Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23523", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-16T16:47:10.266349Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T16:47:26.604Z"}}], "cna": {"title": "Dive allows One-click Remote Code Execution through Deep Links for MCP Install", "source": {"advisory": "GHSA-pjj5-f3wm-f9m8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.7, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "OpenAgentPlatform", "product": "Dive", "versions": [{"status": "affected", "version": "< 0.13.0"}]}], "references": [{"url": "https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-pjj5-f3wm-f9m8", "name": "https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-pjj5-f3wm-f9m8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OpenAgentPlatform/Dive/commit/a5162ac9eff366d8ea1215b8a47139a81a55a779", "name": "https://github.com/OpenAgentPlatform/Dive/commit/a5162ac9eff366d8ea1215b8a47139a81a55a779", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim\u2019s machine. This vulnerability is fixed in 0.13.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-16T16:29:48.433Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23523", "state": "PUBLISHED", "dateUpdated": "2026-01-16T16:47:34.560Z", "dateReserved": "2026-01-13T18:22:43.980Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-16T16:29:48.433Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openagentplatform:dive:*:*:*:*:*:*:*:*", "matchCriteriaId": "5CEE8F57-062C-4DA5-86AF-AE6FE89FCA12", "versionEndExcluding": "0.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Prior to 0.13.0, crafted deeplink can install an attacker-controlled MCP server configuration without sufficient user confirmation and can lead to arbitrary local command execution on the victim\u2019s machine. This vulnerability is fixed in 0.13.0."}], "id": "CVE-2026-23523", "lastModified": "2026-02-09T20:45:56.863", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-16T17:15:54.480", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/OpenAgentPlatform/Dive/commit/a5162ac9eff366d8ea1215b8a47139a81a55a779"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/OpenAgentPlatform/Dive/security/advisories/GHSA-pjj5-f3wm-f9m8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:03:17.755050+00:00", "value": {"mitigation_remediation": ["Upgrade Dive to version 0.13.0 or later to eliminate the vulnerability", "Temporarily disable handling of external deeplinks until the patch is applied", "Audit and remove any automatically installed attacker\u2011controlled MCP server configurations"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is OpenAgentPlatform\u2019s Dive application, versions older than 0.13.0. No specific installation locations or operating systems are listed, but the vulnerability applies to any deployment of the desktop application that processes external deeplinks.", "description_and_impact": "Dive is an open\u2011source MCP Host Desktop Application that integrates with function\u2011calling LLMs. Before version 0.13.0 it accepts custom deeplinks that can install an attacker\u2011controlled MCP server configuration without sufficient user confirmation, allowing an adversary to execute arbitrary local commands on the victim\u2019s machine. The vulnerability is a classic code injection flaw (CWE\u201194) and leads to full compromise of the host device.", "risk_and_exploitability": "The CVSS score of 9.7 indicates critical severity, but the EPSS score of less than 1% suggests current exploitation attempts are unlikely. The vulnerability is not currently listed in the CISA KEV catalog, meaning no confirmed widespread attacks are known at this time. Attackers can exploit the flaw by tricking a user into clicking a crafted deeplink\u2014most likely via malicious email or compromised website\u2014then the application will install the attacker\u2019s MCP server configuration and execute commands on the local machine."}}}}, "created": "2026-01-19T09:20:44.550647+00:00", "updated": "2026-04-18T16:15:04.595260+00:00", "vendors": ["openagentplatform", "openagentplatform$PRODUCT$dive"]}