CVE-2026-23744 | MCPJam inspector is the local-first development platform for… | CVSS 9.8 CRITICAL

Description

MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.

Metadata

CVE ID: CVE-2026-23744
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-01-15 15:45 UTC
Published: 2026-01-16 20:10 UTC
Last updated: 2026-01-16 21:15 UTC
Primary CWE: CWE-306
CWE-306: Missing Authentication for Critical Function
Vendor / Product: MCPJam / inspector
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
MCPJam	inspector	—	<= 1.4.2

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	CWE-306: Missing Authentication for Critical Function

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)

https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6 https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6
https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a