REC in MCPJam inspector due to HTTP Endpoint exposes

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

AI Analysis

Remote code execution (RCE) vulnerability in MCPJam inspector due to exposed HTTP endpoint

Basic Information

ID CVE-2026-23744

Source GitHub_M

Published Jan 16, 2026 at 20:10

Modified Jan 16, 2026 at 21:15

Affected Product

Vendor MCPJam

Product inspector

Version <= 1.4.2

Affected Versions MCPJam inspector <= 1.4.2

CWE Classification

CWE-306

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor MCPJam

Product MCPJam inspector

Version 1.4.2 and earlier

References

{
    "lastseen": "",
    "description": "MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.",
    "published": "2026-01-16T20:10:37.458Z",
    "modified": "2026-01-16T21:15:53.738Z",
    "type": "cve",
    "title": "REC in MCPJam inspector due to HTTP Endpoint exposes",
    "source": "GitHub_M",
    "references": "https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6\nhttps://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a",
    "id": "CVE-2026-23744",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306"
    ],
    "cvelist": null,
    "sourceData": "MCPJam inspector <= 1.4.2",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "inspector",
    "version": "<= 1.4.2",
    "vendor": "MCPJam",
    "ai_description": "Remote code execution (RCE) vulnerability in MCPJam inspector due to exposed HTTP endpoint",
    "ai_severity": "Critical",
    "ai_vendor": "MCPJam",
    "ai_product": "MCPJam inspector",
    "ai_version": "1.4.2 and earlier",
    "ai_score": 9.8
}

REC in MCPJam inspector due to HTTP Endpoint exposes_CVE-2026-23744