CVE-2026-23744

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions MCPJam inspector versions prior to 1.4.3

Description MCPJam inspector, a local-first development platform for MCP servers, contains a flaw that allows remote code execution (RCE). The software by default listens on 0.0.0.0 instead of 127.0.0.1, making its HTTP APIs remotely reachable. An attacker can send a crafted HTTP request to the '/api/mcp/connect' endpoint, which extracts the command and args variables without security checks, triggering the installation of an MCP server and leading to arbitrary command execution without user interaction.

Recommendations Update to version 1.4.3. Restrict access to the '/api/mcp/connect' endpoint to minimize the risk of exploitation.

Exploit

Fix

RCE

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2026-23744

GHSA-232V-J27C-5PP6

Affected Products

Mcpjam Inspector

CVE-2026-23744

Weakness Enumeration

Related Identifiers

Affected Products

References · 26