“The MCP Inspector tool runs by default when the mcp dev command is executed,” Lumelsky said. “It acts as an HTTP server that listens for connections, with a default setup that does not include sufficient security measures like authentication or encryption.” This misconfiguration introduces a major attack surface, allowing anyone on the local network, or even the public internet, to potentially access and exploit the exposed server.
The MCP inspector is an essential tool for developers working with complex AI systems, including major players like Microsoft and Google for their AI and Cloud environments. A vulnerability affecting open-source deployments poses serious risks to these enterprise systems, Lumelsky added.
As MCP adoption picks up pace, security flaws are starting to emerge, like the bug in Asana’s MCP AI connector that exposed corporate data across tenants. The incident, discovered just a month after launch, underscores the need to reassess the experimental protocol before broader enterprise rollout.
Chained with a legacy flaw for RCE
Oligo demonstrated that the attack vector combines two independent flaws. Attackers could chain the legacy “0.0.0.0-day” browser flaw, which lets web pages send requests to 0.0.0.0 address that browsers treat like localhost, to a CSRF-style attack leveraging the Inspector proxy’s vulnerable “/sse” endpoint that accepts commands via query strings over stdio.
