CVE-2026-49357 | Line Desktop MCP is a project that, while unaffiliated with … | CVSS 8.8 HIGH

Description

Line Desktop MCP is a project that, while unaffiliated with the official line-bot-mcp-server, allows users to directly operate the LINE Desktop application on Windows or Mac via MCP. `line-desktop-mcp` supports a `--http-mode` Streamable HTTP transport for use with clients such as n8n. In this mode the server binds to `0.0.0.0` and exposes the MCP `/mcp` endpoint without an MCP-layer authentication check. Prior to version 1.1.2, any network client that can reach the port can initialize a session, list tools, and call tools that read LINE Desktop chat history or send LINE messages through the already logged-in desktop application. Version 1.1.2 fixes the issue.

Metadata

CVE ID: CVE-2026-49357
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-29 14:35 UTC
Published: 2026-06-19 13:11 UTC
Last updated: 2026-06-19 13:11 UTC
Primary CWE: CWE-306
CWE-306: Missing Authentication for Critical Function
Vendor / Product: dtwang / line-desktop-mcp
Sources: cve.org · NVD

Severity & Metrics

8.8 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
dtwang	line-desktop-mcp	—	< 1.1.2

Weakness (CWE)

CWE	Source	Description
CWE-306	cna	CWE-306: Missing Authentication for Critical Function
CWE-862	cna	CWE-862: Missing Authorization

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.8	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

References (2)

https://github.com/dtwang/line-desktop-mcp/security/advisories/GHSA-4hf8-5mjm-rfgq https://github.com/dtwang/line-desktop-mcp/security/advisories/GHSA-4hf8-5mjm-rfgq
https://github.com/dtwang/line-desktop-mcp/commit/680617894981ea93f8f6ceb51ecde7519754d501 https://github.com/dtwang/line-desktop-mcp/commit/680617894981ea93f8f6ceb51ecde7519754d501