GHSA-4HF8-5MJM-RFGQ
Vulnerability from github – Published: 2026-06-26 21:50 – Updated: 2026-06-26 21:50Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication
Summary
line-desktop-mcp supports a --http-mode Streamable HTTP transport for use with clients such as n8n. In this mode the server binds to 0.0.0.0 and exposes the MCP /mcp endpoint without an MCP-layer authentication check. Any network client that can reach the port can initialize a session, list tools, and call tools that read LINE Desktop chat history or send LINE messages through the already logged-in desktop application.
This is High for deployments where the HTTP port is reachable beyond the local host, because the server acts with the user authority of the logged-in LINE Desktop session. It is lower if the listener is strictly firewalled to trusted local clients.
Affected version
Repository: dtwang/line-desktop-mcp
Current source checked: fbed0d2d3048e63f48a356a1267ed8ec5e78f3ae on main, committed 2026-05-14.
Published npm package checked: line-desktop-mcp@1.1.1.
Source evidence
README.md documents Streamable HTTP mode:
npx line-desktop-mcp@latest --http-mode --port 3000
The same README documents MCP endpoints at /mcp and explains that this mode is intended for clients such as n8n.
src/server.js registers LINE Desktop tools including:
get_line_chatroom_history_defaultget_line_chatroom_history_longget_line_chatroom_history_shortsend_message_manualsend_message_auto
Those tool handlers call into the desktop automation layer: getChatHistory(...) and sendChatMessage(...).
In HTTP mode, src/server.js creates an Express app and Streamable HTTP transport, accepts POSTs to /mcp, creates sessions, connects the transport to the MCP server, and calls transport.handleRequest(...). I did not find an authentication or bearer-token check before session creation or tool invocation.
The listener is explicitly network-bound:
app.listen(port, 0.0.0.0, () => {
console.error(`LINE Desktop MCP Server running on Streamable HTTP mode`);
console.error(` Local: http://127.0.0.1:${port}${endpoint}`);
console.error(` Network: http://0.0.0.0:${port}${endpoint}`);
});
Vulnerability chain
- A user starts the server with
--http-mode --port 3000. - The server binds on
0.0.0.0:3000, not only loopback. - A network client reaches
/mcpand sends the normal MCP initialize request. - The server creates a Streamable HTTP session without authenticating the caller.
- The caller can list and invoke LINE Desktop tools.
- Tool calls execute through the logged-in LINE Desktop application on the user workstation.
Impact
An unauthenticated network client can read LINE chat history through the MCP history tools and can send LINE messages through the send-message tools, including send_message_auto when the tool call requests immediate sending. The attacker does not need LINE credentials or a LINE API token; they only need network reachability to the MCP HTTP port.
The practical impact is disclosure of private LINE conversations and unauthorized messages sent as the logged-in desktop user.
Suggested fix
Require authentication before accepting Streamable HTTP MCP sessions or tool calls. For example:
- require a bearer token or local secret when
--http-modeis used; - bind HTTP mode to
127.0.0.1by default unless the operator explicitly opts into network exposure; - refuse to start
0.0.0.0HTTP mode without authentication; - document that
host.docker.internal/ n8n setups must still authenticate to the MCP server.
A defense-in-depth improvement would also keep send_message_auto disabled unless explicitly enabled by a server-side flag, because it converts MCP tool access into immediate message sending as the desktop user.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.1"
},
"package": {
"ecosystem": "npm",
"name": "line-desktop-mcp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49357"
],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T21:50:49Z",
"nvd_published_at": "2026-06-19T14:16:23Z",
"severity": "HIGH"
},
"details": "# Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication\n\n## Summary\n\n`line-desktop-mcp` supports a `--http-mode` Streamable HTTP transport for use with clients such as n8n. In this mode the server binds to `0.0.0.0` and exposes the MCP `/mcp` endpoint without an MCP-layer authentication check. Any network client that can reach the port can initialize a session, list tools, and call tools that read LINE Desktop chat history or send LINE messages through the already logged-in desktop application.\n\nThis is High for deployments where the HTTP port is reachable beyond the local host, because the server acts with the user authority of the logged-in LINE Desktop session. It is lower if the listener is strictly firewalled to trusted local clients.\n\n## Affected version\n\nRepository: `dtwang/line-desktop-mcp`\n\nCurrent source checked: `fbed0d2d3048e63f48a356a1267ed8ec5e78f3ae` on `main`, committed 2026-05-14.\n\nPublished npm package checked: `line-desktop-mcp@1.1.1`.\n\n## Source evidence\n\n`README.md` documents Streamable HTTP mode:\n\n```text\nnpx line-desktop-mcp@latest --http-mode --port 3000\n```\n\nThe same README documents MCP endpoints at `/mcp` and explains that this mode is intended for clients such as n8n.\n\n`src/server.js` registers LINE Desktop tools including:\n\n- `get_line_chatroom_history_default`\n- `get_line_chatroom_history_long`\n- `get_line_chatroom_history_short`\n- `send_message_manual`\n- `send_message_auto`\n\nThose tool handlers call into the desktop automation layer: `getChatHistory(...)` and `sendChatMessage(...)`.\n\nIn HTTP mode, `src/server.js` creates an Express app and Streamable HTTP transport, accepts POSTs to `/mcp`, creates sessions, connects the transport to the MCP server, and calls `transport.handleRequest(...)`. I did not find an authentication or bearer-token check before session creation or tool invocation.\n\nThe listener is explicitly network-bound:\n\n```js\napp.listen(port, 0.0.0.0, () =\u003e {\n console.error(`LINE Desktop MCP Server running on Streamable HTTP mode`);\n console.error(` Local: http://127.0.0.1:${port}${endpoint}`);\n console.error(` Network: http://0.0.0.0:${port}${endpoint}`);\n});\n```\n\n## Vulnerability chain\n\n1. A user starts the server with `--http-mode --port 3000`.\n2. The server binds on `0.0.0.0:3000`, not only loopback.\n3. A network client reaches `/mcp` and sends the normal MCP initialize request.\n4. The server creates a Streamable HTTP session without authenticating the caller.\n5. The caller can list and invoke LINE Desktop tools.\n6. Tool calls execute through the logged-in LINE Desktop application on the user workstation.\n\n## Impact\n\nAn unauthenticated network client can read LINE chat history through the MCP history tools and can send LINE messages through the send-message tools, including `send_message_auto` when the tool call requests immediate sending. The attacker does not need LINE credentials or a LINE API token; they only need network reachability to the MCP HTTP port.\n\nThe practical impact is disclosure of private LINE conversations and unauthorized messages sent as the logged-in desktop user.\n\n## Suggested fix\n\nRequire authentication before accepting Streamable HTTP MCP sessions or tool calls. For example:\n\n- require a bearer token or local secret when `--http-mode` is used;\n- bind HTTP mode to `127.0.0.1` by default unless the operator explicitly opts into network exposure;\n- refuse to start `0.0.0.0` HTTP mode without authentication;\n- document that `host.docker.internal` / n8n setups must still authenticate to the MCP server.\n\nA defense-in-depth improvement would also keep `send_message_auto` disabled unless explicitly enabled by a server-side flag, because it converts MCP tool access into immediate message sending as the desktop user.",
"id": "GHSA-4hf8-5mjm-rfgq",
"modified": "2026-06-26T21:50:50Z",
"published": "2026-06-26T21:50:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/dtwang/line-desktop-mcp/security/advisories/GHSA-4hf8-5mjm-rfgq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49357"
},
{
"type": "WEB",
"url": "https://github.com/dtwang/line-desktop-mcp/commit/680617894981ea93f8f6ceb51ecde7519754d501"
},
{
"type": "PACKAGE",
"url": "https://github.com/dtwang/line-desktop-mcp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.