Improper Synchronization in Xiaozhi-ESP32 MCP Response Handler by 78
CVE-2026-13489

2.3LOW

Key Information:

Vendor

78

Status
Xiaozhi-esp32
Vendor
CVE Published:
28 June 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-13489?

A vulnerability has been identified in version 2.2.6 and earlier of the Xiaozhi-ESP32 product, specifically within the MCP Response Handler's ParseMessage function located in the main/mcp_server.cc file. This vulnerability leads to improper synchronization, which could be exploited remotely. Due to its complexity, effective exploitation may be challenging, yet proof-of-concept exploits have been made publicly available, highlighting the need for prompt remediation. A pull request addressing this issue is currently pending acceptance.

Affected Version(s)

xiaozhi-esp32 2.2.0

xiaozhi-esp32 2.2.1

xiaozhi-esp32 2.2.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-13489 - Proof of Concept

References

https://vuldb.com/vuln/374486
vdb-entrytechnical-description
https://vuldb.com/vuln/374486/cti
signaturepermissions-required
https://vuldb.com/cve/CVE-2026-13489
third-party-advisory

CVSS V4

Score:
2.3
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

dem0000 (VulDB User)
VulDB CNA Team
.