Technical description
Three critical vulnerabilities were published on May 26 for Lumiverse, an AI chat application with MCP server support, all fixed in version 0.9.7. CVE-2026-44450 (CVSS 9.9): the MCP server creation endpoint validates the command field against an allowlist of binary names but forwards the args array to the child process without validation — any allowlisted binary accepting inline code (e.g. node -e, python -c) can be used to achieve arbitrary code execution. CVE-2026-44451 (CVSS 9.3): the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function() with only shallow global shadowing — a sandbox escape using __proto__ or indirect eval paths achieves full code execution. CVE-2026-44444 (CVSS 9.1): the Spindle extension build pipeline runs bun install without --ignore-scripts before safety scanning, allowing a malicious extension's preinstall/postinstall hooks to execute arbitrary code before any scan.
Attack vector
CVE-2026-44450: attacker creates an MCP server specifying an allowlisted binary (node, python) with a code-execution arg — no additional privilege required. CVE-2026-44451: attacker supplies malicious TSX as a component override — sandbox escape via prototype pollution or indirect eval. CVE-2026-44444: attacker supplies a malicious extension package with npm lifecycle scripts — executes before the safety scan runs.
Affected systems
Lumiverse versions before 0.9.7. AI chat applications using Lumiverse's MCP server creation or extension/component override features.
Mitigation
Upgrade to Lumiverse 0.9.7 immediately. As a defence-in-depth pattern applicable beyond Lumiverse: (1) validate and allowlist both command AND args for MCP subprocess calls — binary-only allowlists are insufficient; (2) use --ignore-scripts on all dependency installs in AI extension pipelines; (3) treat user-supplied component code as untrusted even when transpiled in a sandbox.