Blender HTTP runs a small HTTP server inside Blender. Anyone who can send a POST to the server can execute arbitrary Python inside Blender — including reading and writing files anywhere the Blender process can reach, calling shell commands via subprocess, and modifying any open .blend file.
That is the add-on's purpose. It is not a sandbox. Treat the server as if it were a remote shell.
| Who | Can do |
|---|---|
| Anyone with TCP access to the server's bound address and port | Execute Python in Blender, read/write files, exfiltrate data, modify the open scene |
| Anyone who can send you a script to "just run" | Same as above, once you POST it |
| Anyone on the local machine (other user accounts, malware) | Reach 127.0.0.1:9877 like any other localhost service |
There is no authentication, no script sandboxing, no allow-list, no rate limit. Network isolation and your judgement are the only defences.
- The server binds to
127.0.0.1by default. This restricts access to processes on the same machine. Do not change the host to0.0.0.0or a LAN address unless you understand the consequences. - The default port
9877has no protection. Anything on your machine that opens a TCP connection to it gets full code execution. OUTPUTis a convention, not a boundary. Scripts can write anywhere the Blender process has permission. TheOUTPUTpath is just a sensible default — it's not enforced.
- Keep the host as
127.0.0.1. If you need remote access, use SSH port-forwarding or a VPN — do not expose the port directly. - Don't run Blender as Administrator / root. A compromise inherits Blender's privileges.
- Review scripts before sending them. Treat code from an agent the same way you'd treat code from a stranger.
- Disable the add-on when not in use. Stop the server (N-panel → HTTP → Stop) or disable the add-on entirely if you're not actively using it.
- Don't commit scripts that hardcode credentials or absolute paths to private files.
- Be careful with
OUTPUT. Audits, snapshots, and saved.blendfiles land there — make sure that directory does not contain anything sensitive you don't want overwritten.
If you find a security issue, please do not open a public GitHub issue.
Use GitHub's private vulnerability reporting on this repo, or email the maintainer listed in blender_http/blender_manifest.toml.
I'll respond as time permits — this is a personal project, not a commercial product. No bounty.
| Version | Supported |
|---|---|
| 0.4.x | ✅ current |
| < 0.4 | ❌ not maintained |
The following are not considered vulnerabilities and won't be addressed:
- Arbitrary code execution via the documented HTTP API (this is the API's purpose)
- DoS via heavy scripts (Blender is single-threaded; submit lighter scripts)
- The add-on writing files outside
OUTPUTwhen a script tells it to (the script is in control) - A user setting the host to
0.0.0.0and getting exploited (don't do that)