Critical RCE Patched in Minecraft Bedrock Dedicated Server

Critical RCE Patched in Minecraft Bedrock Dedicated Server

Heap buffer overflow lets unauthenticated attackers execute code remotely on unpatched servers. Microsoft included the fix in its July 2026 updates but the window for exploitation is wide open for anyone slow to patch.

If you run a Minecraft Bedrock Dedicated Server, stop what you are doing and check your version. A nasty unauthenticated remote code execution flaw is now public and patched in Microsoft’s July 2026 security updates.

The bug, CVE-2026-55010, is a heap-based buffer overflow that lets an attacker on the network run arbitrary code on the server with no credentials required. CVSS score sits at a tidy 9.8. It is the exact kind of thing that turns a hobby server into a crypto miner or worse in seconds.

Server operators have zero excuse to leave this exposed. Patch it, firewall it, or shut it down until you do. The researcher called it one of the coolest bugs they have worked on. Attackers will call it easy pickings.

Discovery and Disclosure

Security researcher ConsoleBreak posted today that after digging into server-side issues following last year’s client vulnerability, they located this RCE. It landed in the official July Patch Tuesday cycle and was covered by Zero Day Initiative and Talos Intelligence within the past day.

Microsoft lists it as Critical. No indication of active exploitation yet, but that can change fast once proof-of-concept code starts circulating. Public servers sitting on default ports are the obvious targets.

  • Update your Bedrock Dedicated Server binary to the latest patched release immediately
  • Restrict server access with a firewall to trusted IPs only if you cannot update right away
  • Monitor logs for unexpected connection spikes or crashes that could signal probing
  • Avoid exposing the server directly to the open internet without additional protections

Why This Matters Right Now

Bedrock servers power a huge chunk of cross-platform multiplayer, education editions, and Realm-adjacent setups. An RCE this severe on the dedicated server software is rare and dangerous. The fact that it requires zero user interaction makes it especially attractive to automated scanners.

The security community moved quickly to document it. Check the NVD entry and your server host’s update channel. Do not wait for a Minecraft.net blog post. This one is already in the wild.