CVE-2026-49357: line-desktop-mcp

CISO Take

line-desktop-mcp, an MCP server that bridges LINE Desktop to AI workflow tools like n8n, binds its HTTP transport to 0.0.0.0 with no authentication — any host on the same network can initialize an MCP session, enumerate tools, and invoke them to read the victim's full LINE chat history or send messages as the logged-in user. The attack requires no credentials and no prior foothold beyond basic TCP connectivity to the exposed port, making it trivially exploitable for any network-adjacent adversary on the same Wi-Fi segment or corporate LAN. EPSS data is not yet available and this package is not in CISA KEV, but the combination of zero-credential exploitation and sensitive communication access — including potential corporate messaging channels — makes this a tangible privacy and impersonation risk wherever this MCP integration is deployed. Upgrade to version 1.1.2 immediately; as a short-term workaround, block external access to the MCP HTTP port via firewall or restrict binding to 127.0.0.1.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High exploitability with trivial execution: the vulnerability requires only network adjacency and basic HTTP knowledge — no credentials, no AI/ML expertise, no prior system access. Impact per affected endpoint is significant: full LINE chat history exfiltration (potential exposure of corporate communications, credentials shared over chat) plus message-send capability enabling targeted impersonation attacks. Blast radius is bounded by deployment footprint, which is niche today but expanding as MCP adoption grows for AI workflow automation. The 0.0.0.0 binding is particularly dangerous in corporate network environments and home offices where LAN segments may be shared with untrusted parties.

How does the attack unfold?

Network Discovery

Adversary scans the local network for the MCP HTTP port on machines running line-desktop-mcp in --http-mode bound to 0.0.0.0.

AML.T0006

Unauthenticated Session Init

Adversary sends a standard MCP initialize request to /mcp — the server accepts and establishes a full session with no authentication check.

AML.T0049

Tool Enumeration

Adversary calls list_tools to discover available LINE Desktop controls (read chat history, send message) and identifies exploitable capabilities.

AML.T0084.001

Exfiltration & Impersonation

Adversary invokes the chat history tool to extract LINE conversations, then abuses the send-message tool to impersonate the victim within their contact network.

AML.T0086

Network Discovery

Adversary scans the local network for the MCP HTTP port on machines running line-desktop-mcp in --http-mode bound to 0.0.0.0.

AML.T0006

Unauthenticated Session Init

Adversary sends a standard MCP initialize request to /mcp — the server accepts and establishes a full session with no authentication check.

AML.T0049

Tool Enumeration

Adversary calls list_tools to discover available LINE Desktop controls (read chat history, send message) and identifies exploitable capabilities.

AML.T0084.001

Exfiltration & Impersonation

Adversary invokes the chat history tool to extract LINE conversations, then abuses the send-message tool to impersonate the victim within their contact network.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
line-desktop-mcp	—	—	No patch

Do you use line-desktop-mcp? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Upgrade line-desktop-mcp to version 1.1.2 immediately (the patch introduces MCP-layer authentication on the HTTP endpoint).
If immediate upgrade is not possible, restrict the MCP HTTP port via host-based firewall to loopback only (127.0.0.1) or a specific authorized source IP.
Disable --http-mode entirely and use stdio transport instead if remote HTTP connectivity is not required.
Audit all MCP server deployments in your environment for similar 0.0.0.0 binding patterns without authentication — this is a recurring misconfiguration class across MCP implementations.
Review network logs for unexpected connections to the MCP HTTP port referenced in GHSA-4hf8-5mjm-rfgq.
Establish a security review gate for any MCP server bound to 0.0.0.0 before permitting production use.

How is it classified?

Auth Bypass Data Extraction Privacy Violation Agent Plugin AML.T0006 - Active Scanning AML.T0048.003 - User Harm AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0084.001 - Tool Definitions AML.T0086 - Exfiltration via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment — information security

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-49357?

line-desktop-mcp, an MCP server that bridges LINE Desktop to AI workflow tools like n8n, binds its HTTP transport to 0.0.0.0 with no authentication — any host on the same network can initialize an MCP session, enumerate tools, and invoke them to read the victim's full LINE chat history or send messages as the logged-in user. The attack requires no credentials and no prior foothold beyond basic TCP connectivity to the exposed port, making it trivially exploitable for any network-adjacent adversary on the same Wi-Fi segment or corporate LAN. EPSS data is not yet available and this package is not in CISA KEV, but the combination of zero-credential exploitation and sensitive communication access — including potential corporate messaging channels — makes this a tangible privacy and impersonation risk wherever this MCP integration is deployed. Upgrade to version 1.1.2 immediately; as a short-term workaround, block external access to the MCP HTTP port via firewall or restrict binding to 127.0.0.1.

Is CVE-2026-49357 actively exploited?

No confirmed active exploitation of CVE-2026-49357 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-49357?

1. Upgrade line-desktop-mcp to version 1.1.2 immediately (the patch introduces MCP-layer authentication on the HTTP endpoint). 2. If immediate upgrade is not possible, restrict the MCP HTTP port via host-based firewall to loopback only (127.0.0.1) or a specific authorized source IP. 3. Disable --http-mode entirely and use stdio transport instead if remote HTTP connectivity is not required. 4. Audit all MCP server deployments in your environment for similar 0.0.0.0 binding patterns without authentication — this is a recurring misconfiguration class across MCP implementations. 5. Review network logs for unexpected connections to the MCP HTTP port referenced in GHSA-4hf8-5mjm-rfgq. 6. Establish a security review gate for any MCP server bound to 0.0.0.0 before permitting production use.

What systems are affected by CVE-2026-49357?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, MCP integrations, workflow automation, desktop AI assistants.

What is the CVSS score for CVE-2026-49357?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksMCP integrationsworkflow automationdesktop AI assistants

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0048.003 User Harm

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0084.001 Tool Definitions

AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: 6.1.2

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

Line Desktop MCP is a project that, while unaffiliated with the official line-bot-mcp-server, allows users to directly operate the LINE Desktop application on Windows or Mac via MCP. `line-desktop-mcp` supports a `--http-mode` Streamable HTTP transport for use with clients such as n8n. In this mode the server binds to `0.0.0.0` and exposes the MCP `/mcp` endpoint without an MCP-layer authentication check. Prior to version 1.1.2, any network client that can reach the port can initialize a session, list tools, and call tools that read LINE Desktop chat history or send LINE messages through the already logged-in desktop application. Version 1.1.2 fixes the issue.

Exploitation Scenario

An attacker on the same corporate Wi-Fi or LAN as a user running line-desktop-mcp in --http-mode scans for the exposed MCP HTTP port. Upon finding the /mcp endpoint responding, the attacker sends a standard MCP initialize request — no token, no API key, no challenge — and receives a valid session. They call list_tools to enumerate capabilities, confirming access to read-chat-history and send-message tools. The attacker invokes the chat history tool to extract LINE conversations including any shared credentials, business decisions, or PII stored in message history. As a second stage, the attacker abuses send-message to impersonate the victim within their LINE contact network, sending crafted messages to harvest additional credentials, authorize fraudulent actions, or spread malicious links through the victim's trusted relationships.

Weaknesses (CWE)

CWE-306 Missing Authentication for Critical Function Primary CWE-862 Missing Authorization Primary CWE-306 Missing Authentication for Critical Function CWE-862 Missing Authorization

CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

[Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.