Vulnerability Details CVE-2026-40608
Next AI Draw.io is a next.js web application that integrates AI capabilities with draw.io diagrams. Prior to 0.4.15, the embedded HTTP sidecar contains three POST handlers (/api/state, /api/restore, and /api/history-svg) that process incoming requests by accumulating the entire request body into a JavaScript string without any size limitations. Node.js buffers the entire payload in the V8 heap. Sending a sufficiently large body (e.g., 500 MiB or more) will exhaust the process heap memory, leading to an Out-of-Memory (OOM) error that crashes the MCP server. This vulnerability is fixed in 0.4.15.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 2.9%
CVSS Severity
CVSS v3 Score 6.2
References
Products affected by CVE-2026-40608
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.2.0
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.3.0
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.4.0
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.4.1
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.4.10
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.4.11
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.4.12
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.4.13
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.4.14
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.4.3
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.4.4
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.4.5
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.4.6
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.4.7
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.4.8
-
cpe:2.3:a:dayuanjiang:next_ai_draw.io:0.4.9