Now in early access, book a 30-minute demo →
← Back to blog AdvisoryCritical

MCPJam Inspector Remote Code Execution — CVE-2026-23744

Anomity Research Anomity Threat Research · · 2 min read
MCP Server Security·Critical·CVE-2026-23744·
Affected MCPJam Inspector ≤ 1.4.2 (patched in 1.4.3)

What happened

CVE-2026-23744 is a critical remote code execution vulnerability in MCPJam Inspector, a developer tool for inspecting Model Context Protocol servers, affecting versions 1.4.2 and earlier. By default the Inspector listens on all network interfaces (0.0.0.0), so it is reachable beyond localhost. An unauthenticated attacker who can reach that port can send a specially crafted HTTP request that triggers installation of an MCP server and execution of arbitrary code on the host. The issue was fixed in 1.4.3.

Why this is an agentic-endpoint risk

MCP inspectors and utilities live on developer laptops next to the agents they debug. A flaw like this turns a convenience tool into an unauthenticated foothold on a managed endpoint — and because it is an AI-tooling process binding a local port, it is exactly the kind of artifact that traditional controls were never designed to see. It is a textbook case of shadow AI on the endpoint: installed bottom-up, network-reachable, and unreviewed.

How Anomity surfaces and governs it

Anomity inventories AI tooling — including MCP servers, inspectors, and the eight AI artifact types — on every managed endpoint, and surfaces the exact version in use, so finding every vulnerable MCPJam Inspector becomes one query rather than a fleet-wide hunt. It flags instances that bind a network transport without authentication, and on agents that expose a hook it applies runtime governance — allowing, denying, or logging each MCP tool call before it runs. Every install and version change is captured in the 90-day audit trail.

What to check across your fleet

  • Inventory every endpoint for MCPJam Inspector and record its version; upgrade anything ≤ 1.4.2 to 1.4.3.
  • Identify any MCP tool or inspector bound to 0.0.0.0 or a non-loopback interface.
  • Confirm developer tools are not exposed beyond localhost on shared networks.
  • Add a policy: MCP inspectors and servers must require transport authentication.
  • Review the audit trail for recent MCP server installs triggered outside normal workflows.

This advisory is part of our MCP Server Security guide. To see your own MCP posture, book a 30-minute demo.

Frequently asked questions

Am I affected by CVE-2026-23744?

You are exposed if any developer endpoint runs MCPJam Inspector at version 1.4.2 or earlier, especially on a shared or reachable network, since the tool binds to all interfaces (0.0.0.0) by default. Upgrading to 1.4.3 remediates the flaw. The practical problem is knowing where the tool is installed in the first place — that requires a fleet inventory of AI tooling.

What does the vulnerability allow?

An unauthenticated attacker who can reach the Inspector's port can send a crafted HTTP request that triggers installation of an MCP server and execution of arbitrary code on the host, with the privileges of the user running the Inspector.

How does Anomity help with CVE-2026-23744?

Anomity inventories MCP tooling — including inspectors and developer utilities — across every managed endpoint, surfaces the version in use, and flags instances that bind a network transport without authentication. On agents that expose a hook, it can deny the MCP tool calls a compromised inspector would attempt before they run.

Ask AI about Anomity
ChatGPT Claude Perplexity Google AI Grok