CVE-2026-23744

Name of the Vulnerable Software and Affected Versions MCPJam inspector versions 1.4.2 and earlier

Description MCPJam inspector, a local-first development platform for MCP servers, contains a remote code execution (RCE) issue. An attacker can send a crafted HTTP request to trigger the installation of an MCP server, leading to RCE. The application, by default, listens on all interfaces (0.0.0.0) instead of localhost, enabling remote exploitation. The

/api/mcp/connect

API Endpoint is particularly vulnerable, as it extracts the

command

and

args

parameters without proper security checks, allowing for arbitrary command execution.

Recommendations Versions prior to 1.4.3 are vulnerable and should be updated to version 1.4.3 or later.