Critical severityNVD Advisory· Published Jan 16, 2026· Updated Jan 16, 2026
REC in MCPJam inspector due to HTTP Endpoint exposes
CVE-2026-23744
Description
MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@mcpjam/inspectornpm | < 1.4.3 | 1.4.3 |
Affected products
2- Range: <= 1.4.2
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-232v-j27c-5pp6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23744ghsaADVISORY
- github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7aghsax_refsource_MISCWEB
- github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.