Anthropic MCP Inspector Accepted Unauthenticated Connections Leading to CSRF-Chained RCE (CVE-2025-49596, CVSS 9.4)

Anthropic's MCP Inspector dev tool accepted unauthenticated connections by default. Chained with a browser 0.0.0.0-day CSRF attack, this enabled unauthenticated RCE with full filesystem and API key access. CVSS 9.4. Patched in v0.14.1.

MCP InspectorTool execution / MCPUnauthenticated access + CSRF-chained RCEDeveloper workstation / MCP Inspector dev tool

What happened

A malicious webpage exploited the browser 0.0.0.0-day to send CSRF requests to MCP Inspector's unauthenticated local port, executing arbitrary MCP tool calls and achieving full RCE on the developer's machine.

Why it matters

Full remote code execution on developer workstations: complete filesystem read/write access and exposure of all stored API keys and credentials. Any developer running MCP Inspector while browsing was at risk.

Missing authorization check

Local development server endpoints must require authentication even for localhost connections. CSRF protections and origin validation are essential when any local port is bound without authentication.

Would PP block it?

If MCP tool calls were routed through PP's authorization layer, the unauthenticated CSRF-originated requests would lack valid receipts and be blocked. Full coverage requires: (1) the dev tool requiring authentication by default, and (2) PP gating tool execution receipts.

Incident analysis

Timeline and technical read

Timeline

2025-06-13
CVE-2025-49596 disclosed: MCP Inspector dev tool accepts unauthenticated connections. Chained with browser 0.0.0.0-day CSRF vulnerability to achieve unauthenticated RCE.
2025-06-13
Anthropic releases MCP Inspector v0.14.1 patching the vulnerability by requiring authentication for all connections.

Technical breakdown

MCP Inspector bound to 0.0.0.0 without requiring authentication, assuming local network access implied trust.
The 0.0.0.0-day browser vulnerability allowed malicious webpages to send requests to localhost/0.0.0.0 ports, bypassing browser same-origin protections.
Chaining these two issues: malicious page sends CSRF request to unauthenticated MCP Inspector port, executing arbitrary tool calls.
Full filesystem access and API key exposure resulted from MCP Inspector's privileged tool capabilities combined with zero authentication.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Runtime Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: MCP tool call execution, local server authentication
Still needs: Unauthenticated local server binding; missing CSRF origin validation
Receipt required for: Any MCP tool call execution, filesystem access, API key reads from dev tool

PP's Runtime Gate would catch the unauthenticated tool calls if MCP tool execution were gated. PP does not prevent the underlying unauthenticated server binding, which requires the dev tool to require auth by default.

Related incidents and controls

High2026-01-29

Cross-Site WebSocket Hijacking in OpenClaw Control UI Leads to Remote Code Execution

Critical2026-04-01

nginx-ui MCPwn: Empty IP Whitelist Treated as Allow-All Grants Zero-Credential Access to All 12 MCP Tools on 2,600+ Exposed Instances (CVE-2026-33032, CVSS 9.8)

Runtime Gate

Start small

Put the relevant gate at this action boundary.

This incident maps to Runtime Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop