CVE-2026-23523: One Click to Command Execution — Critical Deeplink RCE in Dive MCP Desktop App

Aegiron 9 mins0

CVE ID: CVE-2026-23523
Product: Dive – MCP Host Desktop Application
Affected versions: All versions prior to 0.13.0
Fixed version: 0.13.0 and later
Severity: Critical
CVSS v3.1: 9.6 (Critical)
Attack vector: Remote (via crafted deeplink)
Privileges required: None
User interaction: Required (user opens a deeplink)
Impact: Arbitrary local command execution under the logged-in user
Exploitability: High
Exploit / PoC availability: Conceptual and research-level PoCs exist.

Executive summary

CVE-2026-23523 is a critical vulnerability in the Dive desktop application that allows an attacker to execute arbitrary commands on a victim’s system by abusing Dive’s deeplink handling mechanism. By crafting a malicious deeplink, an attacker can cause Dive to silently install an attacker-controlled MCP (Model Context Protocol) server configuration. Once installed, this configuration can be leveraged to run local operating system commands when Dive interacts with the MCP server.

While the attack requires user interaction (opening a link), no authentication or special permissions are required. The resulting command execution occurs with the same privileges as the logged-in user, making this vulnerability particularly dangerous in developer, analyst, and admin workstations where sensitive credentials and tools are commonly present.

Technical root cause

Dive supports custom deeplinks to simplify installing and managing MCP servers. In vulnerable versions:

  1. The application accepted deeplink parameters that described MCP server configuration details.
  2. These parameters were not sufficiently validated or surfaced clearly to the user.
  3. Dive allowed MCP server installation without strong user confirmation or sanitization.
  4. Certain configuration fields could later be used by Dive in a way that caused operating system commands or executables to be invoked.

This created a trust boundary failure: untrusted input delivered via a deeplink was treated as trusted configuration and later used in command execution contexts.

How an attacker could exploit this

  1. An attacker crafts a malicious Dive deeplink containing a specially prepared MCP server configuration.
  2. The link is delivered to the victim through email, chat, documentation, a website, or social engineering.
  3. The victim opens the link, triggering Dive’s deeplink handler.
  4. Dive installs the attacker-controlled MCP server configuration without clearly warning the user.
  5. When Dive later interacts with that MCP server, local commands are executed on the victim’s system.

This is not a memory corruption bug or sandbox escape — it is a logic and trust failure that results in full local command execution within the user’s security context.

Real-world impact

An attacker who successfully exploits this vulnerability can:

  • Execute arbitrary commands on the victim’s machine
  • Read, modify, or delete user files
  • Steal API keys, SSH keys, tokens, and credentials
  • Install persistence mechanisms (scheduled tasks, startup items, services)
  • Use the compromised system as a foothold for lateral movement

On developer or AI research machines, this may expose source code, proprietary models, internal tooling, and cloud credentials.

MITRE ATT&CK mapping

  • T1204 – User Execution: User opens a malicious deeplink
  • T1059 – Command and Scripting Interpreter: Local command execution
  • T1547 – Boot or Logon Autostart Execution: Possible persistence after exploitation
  • T1082 – System Information Discovery: Reconnaissance after compromise

These mappings help defenders align detection and response strategies.

Detection strategy

Recommended log sources

To reliably detect exploitation attempts or successful abuse, collect and correlate:

  • Endpoint process creation logs
    • Windows: Event ID 4688, Sysmon Event ID 1
    • macOS/Linux: EDR or audit framework logs
  • EDR telemetry
    • Parent/child process relationships
    • Command-line arguments
  • Application logs
    • Dive application logs, especially around deeplink handling and MCP server installation
  • File system activity
    • Creation or modification of Dive configuration and MCP server files in user directories
  • Network telemetry
    • Unexpected outbound connections following a Dive deeplink event

Behavioral indicators of exploitation

  • Dive spawning shell interpreters (cmd, powershell, sh, bash)
  • Dive launching installers, scripts, or binaries from user-writable directories
  • New MCP server configurations appearing without user-initiated setup
  • Command execution shortly after a deeplink or URL open event
  • Persistence mechanisms created soon after Dive activity

Sigma rule template

title: Dive application spawning command interpreter
id: 8c91c9d1-example
status: experimental
description: Detects the Dive desktop application launching shell interpreters, which may indicate abuse of MCP configuration or deeplink handling.
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\dive.exe'
    Image:
      - '*\cmd.exe'
      - '*\powershell.exe'
      - '*\pwsh.exe'
  condition: selection
level: high
falsepositives:
  - Legitimate automation workflows using Dive in controlled environments

SIEM detection concept

Logic:
Alert when Dive launches a shell or scripting engine, especially if:

  • The command line is long or complex
  • The execution happens shortly after a deeplink or URL open
  • The user did not intentionally configure a new MCP server

This alert should be high priority on workstations and moderate priority on development hosts.

Incident response guidance

  1. Isolate the affected host from the network.
  2. Collect process execution logs and Dive application logs.
  3. Identify and remove unauthorized MCP server configurations.
  4. Look for persistence mechanisms created after the initial execution.
  5. Rotate credentials and secrets stored or used on the host.
  6. Upgrade Dive to v0.13.0 or later.
  7. Rebuild the system if integrity cannot be confidently restored.

Mitigation and hardening recommendations

  • Upgrade immediately to Dive v0.13.0 or later
    https://github.com/OpenAgentPlatform/Dive/releases/tag/v0.13.0
  • Disable or restrict custom URL handlers where feasible
  • Apply least-privilege principles for local users
  • Use EDR policies to block unapproved child processes
  • Educate users about the risks of opening unknown deeplinks

Key takeaway

CVE-2026-23523 is a classic example of how convenience features like deeplinks can become high-impact attack vectors when trust boundaries are not enforced. The vulnerability is easy to exploit through social engineering and leads directly to local command execution. Prompt patching and strong endpoint detection are essential.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.