CVE-2026-23744

CriticalPublic PoC

Published: 16 January 2026

Published

16 January 2026

Modified

13 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2944 96.6th percentile

Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Description

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server,…

leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation requires timely patching to version 1.4.3, which directly eliminates the RCE vulnerability from crafted HTTP requests.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Limits permitted actions without identification or authentication, directly addressing the missing authentication (CWE-306) for the critical MCP server installation function.

SC-14 Public Access Protections good match

prevent

Enforces access controls on publicly accessible services like the default 0.0.0.0-bound MCPJam inspector HTTP endpoint to block unauthorized remote exploitation.

Security SummaryAI

CVE-2026-23744 is a remote code execution (RCE) vulnerability affecting MCPJam inspector, a local-first development platform for MCP servers, in versions 1.4.2 and earlier. The flaw, linked to CWE-306 (Missing Authentication for Critical Function), arises when a crafted HTTP request triggers the unintended installation of an MCP server, enabling RCE. By default, MCPJam inspector binds to 0.0.0.0 rather than 127.0.0.1, exposing the service to remote networks. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Any unauthenticated remote attacker can exploit this vulnerability by sending a simple crafted HTTP request to the exposed MCPJam inspector instance. Successful exploitation grants arbitrary code execution on the target system with the privileges of the inspector process, potentially leading to full system compromise, data theft, or further lateral movement.

The patch is available in version 1.4.3 of MCPJam inspector. Official advisories and the fixing commit are detailed in the GitHub security advisory (GHSA-232v-j27c-5pp6) and the patch commit (e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a), recommending immediate upgrade to mitigate the issue.

Details

CWE(s): CWE-306

Affected Products

mcpjam

inspector

≤ 1.4.3

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: Matched keywords: mcp, mcp

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated remote code execution via crafted HTTP requests to the exposed MCPJam inspector service (binding to 0.0.0.0), directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a
Patch · security-advisories@github.com
https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6
Exploit, Vendor Advisory · security-advisories@github.com