CVE-2026-23523 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting the OpenAgentPlatform Dive application, an open-source MCP Host Desktop Application designed for integration with function-calling large language models (LLMs). The vulnerability exists in versions prior to 0.13.0 and arises from insufficient validation and user confirmation when processing crafted deeplinks. An attacker can create a malicious deeplink that, when activated by a user, installs an attacker-controlled MCP server configuration on the victim's machine. This leads to arbitrary local command execution, allowing the attacker to execute code with the privileges of the user running Dive. The vulnerability is remotely exploitable without requiring prior authentication (AV:N), has low attack complexity (AC:L), and requires user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component. The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), as arbitrary code execution can lead to data theft, system compromise, or denial of service. Although no known exploits are currently reported in the wild, the severity and ease of exploitation make it a critical threat. The issue is resolved in Dive version 0.13.0, which includes proper user confirmation and validation mechanisms to prevent unauthorized MCP server configuration installation.

For European organizations, the impact of this vulnerability is significant, especially for those leveraging Dive for integrating function-calling LLMs in their workflows. Successful exploitation can lead to full system compromise of affected endpoints, resulting in potential data breaches, unauthorized access to sensitive information, disruption of business operations, and lateral movement within networks. Organizations in sectors such as finance, healthcare, and critical infrastructure that rely on AI integration tools are particularly vulnerable. The ability to execute arbitrary commands locally can facilitate deployment of ransomware, espionage tools, or persistent backdoors. Given the remote exploitability with only user interaction required, phishing or social engineering campaigns could be used to trigger the vulnerability, increasing the attack surface. The critical CVSS score reflects the high risk posed to confidentiality, integrity, and availability of affected systems.

1. Immediate upgrade to OpenAgentPlatform Dive version 0.13.0 or later to ensure the vulnerability is patched. 2. Implement strict controls on deeplink handling by configuring the application or endpoint security solutions to only accept deeplinks from trusted and verified sources. 3. Educate users on the risks of clicking unsolicited or suspicious deeplinks, especially those received via email or messaging platforms. 4. Employ endpoint detection and response (EDR) tools to monitor for unusual command execution patterns indicative of exploitation attempts. 5. Use application whitelisting to restrict execution of unauthorized processes spawned by Dive or related components. 6. Regularly audit and monitor MCP server configurations for unauthorized changes. 7. Integrate multi-factor authentication and least privilege principles to limit the impact of any local compromise. 8. Establish incident response procedures specifically addressing potential exploitation of code injection vulnerabilities in AI integration tools.