CVE-2026-23744

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-23744
MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a Patch
https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6 Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:mcpjam:inspector:*:*:*:*:*:*:*:*
History

13 Mar 2026, 14:19

Type Values Removed Values Added
Summary
  • (es) MCPJam inspector es la plataforma de desarrollo local-first para servidores MCP. Las versiones 1.4.2 y anteriores tienen una vulnerabilidad de ejecución remota de código (RCE), que permite a un atacante enviar una solicitud HTTP manipulada que desencadena la instalación de un servidor MCP, lo que lleva a un RCE. Dado que MCPJam inspector por defecto escucha en 0.0.0.0 en lugar de 127.0.0.1, un atacante puede provocar la RCE de forma remota a través de una simple solicitud HTTP. La versión 1.4.3 contiene un parche.
References () https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a - () https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a - Patch
References () https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6 - () https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6 - Exploit, Vendor Advisory
First Time Mcpjam inspector
Mcpjam
CPE cpe:2.3:a:mcpjam:inspector:*:*:*:*:*:*:*:*

16 Jan 2026, 22:16

Type Values Removed Values Added
References
  • () https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a -
Summary (en) MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. (en) MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

16 Jan 2026, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2026-01-16 20:15

Updated : 2026-03-13 14:19

NVD link : CVE-2026-23744

Mitre link : CVE-2026-23744

CVE.ORG link : CVE-2026-23744

JSON object : View

Products Affected

mcpjam

  • inspector
CWE
CWE-306

Missing Authentication for Critical Function