CVE-2026-33057
Published: 20 March 2026
Description
Mesop is a Python-based UI framework that allows users to build web applications. In versions 1.2.2 and below, an explicit web endpoint inside the ai/ testing module infrastructure directly ingests untrusted Python code strings unconditionally without authentication measures, yielding standard…
more
Unrestricted Remote Code Execution. Any individual capable of routing HTTP logic to this server block will gain explicit host-machine command rights. The AI codebase package includes a lightweight debugging Flask server inside ai/sandbox/wsgi_app.py. The /exec-py route accepts base_64 encoded raw string payloads inside the code parameter natively evaluated by a basic POST web request. It saves it rapidly to the operating system logic path and injects it recursively using execute_module(module_path...). This issue has been fixed in version 1.2.3.
Mitigating Controls (NIST 800-53 r5)AI
Enforces authentication and authorization mechanisms on the /exec-py endpoint to block unauthorized remote code execution from untrusted POST requests.
Restricts the Mesop system to least functionality by disabling or removing the unnecessary debugging Flask server and its unrestricted code execution endpoint in production environments.
Remediates the specific RCE flaw in Mesop versions 1.2.2 and below by applying patches such as upgrading to version 1.2.3 where the vulnerable endpoint is secured.
Security SummaryAI
CVE-2026-33057 is an unrestricted remote code execution vulnerability (CWE-94) in Mesop, a Python-based UI framework for building web applications. It affects versions 1.2.2 and below, specifically within the ai/ testing module infrastructure. The vulnerable component is a lightweight debugging Flask server in ai/sandbox/wsgi_app.py, which exposes an /exec-py web endpoint that directly ingests untrusted Python code strings via base64-encoded payloads in the 'code' parameter of POST requests, without any authentication. The server saves the code to the filesystem and executes it recursively using execute_module(module_path...), enabling full host compromise. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Attackers require only network access to the affected Mesop server instance running the debugging endpoint. Exploitation involves sending a simple POST request to /exec-py with a base64-encoded Python payload, which is unconditionally evaluated and executed on the host machine. Successful exploitation grants arbitrary command execution rights, allowing attackers to achieve complete control over the server, including data exfiltration, persistence, or further lateral movement.
The vulnerability has been addressed in Mesop version 1.2.3. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory (https://github.com/mesop-dev/mesop/security/advisories/GHSA-gjgx-rvqr-6w6v) and the fixing commit (https://github.com/mesop-dev/mesop/commit/825f55970c20686de3f28e2c66df4d74e9d4db47).
This issue is noteworthy in AI/ML development contexts, as the vulnerable endpoint is part of Mesop's AI sandbox testing infrastructure.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Matched keywords: ai, ai, ai
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated RCE in a public-facing web endpoint of a Python framework's debugging server, directly enabling exploitation of public-facing applications (T1190) via execution of arbitrary Python code (T1059.006).