Security Advisory - Published 2026-06-19 - Developer / AI Tooling
Developer tooling CVEs: check exposed MCP servers, AI workspaces, templates, and extraction jobs
This batch covers mcp-pinot, LiquidJS, nanobot, Eclipse Theia, ThreadX NetX Duo, and BBOT. The operational risk is not one stack; it is developer tooling with broad credentials, AI workspace trust, template rendering, or archive extraction.
Affected tooling
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-49257 | mcp-pinot | <= 3.0.1 | Pinot credentials, MCP access logs, and table/config changes | 10.0 |
| CVE-2026-48716 | nanobot | <= 0.1.5.post3 | media folders, bridge logs, and document ingestion settings | 8.7 |
| CVE-2026-44688 | Eclipse Theia | before 1.71.0 | workspace trust, AI agent settings, and opened repositories | 8.4 |
| CVE-2026-44691 | Eclipse Theia | before 1.69.0 | workspace trust, task definitions, and AI tool confirmation | 8.4 |
| CVE-2026-46580 | Eclipse Theia | before 1.71.0 | prompt template folders, workspace trust, and AI agent settings | 8.4 |
| CVE-2026-11576 | Eclipse ThreadX NetX Duo | HTTP server PUT handling | embedded HTTP server firmware, PUT support, and vendor update state | 7.5 |
| CVE-2026-45617 | LiquidJS | <= 10.25.7 | template inputs, Node.js worker CPU, and dependency locks | 7.5 |
| CVE-2026-44645 | LiquidJS | <= 10.25.7 | template-authoring users and renderLimit assumptions | 6.5 |
| CVE-2026-12565 | BBOT | unarchive module on older tar stacks | container base images, GNU tar versions, and extraction jobs | 5.3 |
Owner self-check
npm ls liquidjs 2>/dev/null
python -m pip show mcp-pinot 2>/dev/null
docker ps | egrep 'pinot|mcp|theia|nanobot|bbot'
grep -Rni 'liquidjs\\|mcp-pinot\\|nanobot\\|theia\\|bbot' package.json package-lock.json pyproject.toml requirements.txt docker-compose.yml 2>/dev/null
find . -path '*/.theia/*' -o -path '*/.vscode/tasks.json' -o -path '*/.prompts/*'What to review
- MCP servers bound to broad interfaces, especially when backend credentials reach Apache Pinot.
- LiquidJS dependency locks and services that render user-controlled templates.
- AI workspaces opened from untrusted repositories, Theia task definitions, and prompt template folders.
- nanobot WhatsApp bridge media folders and recent document ingestion activity.
- Embedded HTTP server builds, archive extraction workers, base images, and old tar versions.
Safe fix path
- Patch dependencies and containers before reopening developer tooling to shared users.
- Move MCP and admin tooling behind authentication, VPN, or localhost-only access.
- Disable AI tool execution for untrusted workspaces until workspace trust is enforced.
- Preserve container, process, and application logs before removing suspicious files or workspaces.
Repair help
Use Ping7 CVE Repair when a developer tool had broad network exposure, AI workspace automation ran with write access, credentials may have reached an MCP server, or logs need incident review.