Critical severityNVD Advisory· Published Jan 16, 2026· Updated Jan 16, 2026

REC in MCPJam inspector due to HTTP Endpoint exposes

CVE-2026-23744

Description

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MCPJam inspector <=1.4.2 binds to 0.0.0.0, allowing unauthenticated remote attackers to trigger RCE via a crafted HTTP request to the /api/mcp/connect endpoint.

MCPJam inspector versions 1.4.2 and earlier contain a remote code execution vulnerability. The root cause is a missing security check in the /api/mcp/connect HTTP endpoint. When this endpoint receives a request, it extracts command and args fields from the JSON body without any validation. Because the server is configured to listen on 0.0.0.0 instead of 127.0.0.1, the vulnerable endpoint is reachable from any network interface [1][3]

An attacker can exploit this by sending a simple HTTP POST request to the MCPJam inspector. The request must include a JSON payload with a serverConfig object containing an arbitrary command (e.g., cmd.exe) and args. No authentication or user interaction is required, unlike the similar earlier vulnerability CVE-2025-49596. The default binding to 0.0.0.0 effectively turns the development tool into a network-wide backdoor [3]

The impact is full remote code execution on the host running MCPJam inspector. An attacker could execute arbitrary operating system commands with the privileges of the MCPJam process, leading to data exfiltration, malware installation, or further network compromise [1][3]

Version 1.4.3 patches the issue by changing the default bind address from 0.0.0.0 to 127.0.0.1, restricting access to localhost only [2][4]

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@mcpjam/inspectornpm	< 1.4.3	1.4.3

Affected products

Mcpjam/Inspectorllm-fuzzy2 versions
<=1.4.2+ 1 more
- (no CPE)range: <=1.4.2
- (no CPE)range: <= 1.4.2

Patches

e6b9cf9d9e6c

Fix port vuln (#1152)

https://github.com/MCPJam/inspectorMatthew WangJan 9, 2026via ghsa

commit

1 file changed · +1 −4

server/index.ts+1 −4 modified

@@ -1,6 +1,3 @@
-import "./sentry";
-import * as Sentry from "@sentry/node";
-
 import { serve } from "@hono/node-server";
 import dotenv from "dotenv";
 import fixPath from "fix-path";
@@ -283,7 +280,7 @@ logBox(`http://${SERVER_HOSTNAME}:${displayPort}`, "🎵 MCPJam");
 const server = serve({
   fetch: app.fetch,
   port: SERVER_PORT,
-  hostname: "0.0.0.0", // Bind to all interfaces for Docker
+  hostname: "127.0.0.1",
 });
 
 // Handle graceful shutdown

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

github.com/advisories/GHSA-232v-j27c-5pp6ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-23744ghsaADVISORY
github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7aghsax_refsource_MISCWEB
github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.022
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000