CVE-2026-49357: CWE-306: Missing Authentication for Critical Function in dtwang line-desktop-mcp
Line Desktop MCP is a project that, while unaffiliated with the official line-bot-mcp-server, allows users to directly operate the LINE Desktop application on Windows or Mac via MCP. `line-desktop-mcp` supports a `--http-mode` Streamable HTTP transport for use with clients such as n8n. In this mode the server binds to `0.0.0.0` and exposes the MCP `/mcp` endpoint without an MCP-layer authentication check. Prior to version 1.1.2, any network client that can reach the port can initialize a session, list tools, and call tools that read LINE Desktop chat history or send LINE messages through the already logged-in desktop application. Version 1.1.2 fixes the issue.
AI Analysis
Technical Summary
The line-desktop-mcp project supports an HTTP transport mode (--http-mode) that binds to all network interfaces (0.0.0.0) and exposes the MCP /mcp endpoint without enforcing authentication. This missing authentication (CWE-306) allows any network client with access to the port to initialize a session and invoke tools that interact with the LINE Desktop application, including reading chat history and sending messages. The vulnerability is present in versions before 1.1.2. Version 1.1.2 fixes the issue by presumably adding proper authentication checks.
Potential Impact
An unauthenticated attacker on the network can access sensitive functions of the LINE Desktop application via the exposed MCP endpoint. This includes reading chat history and sending messages as the logged-in user, potentially leading to information disclosure and unauthorized message transmission. The CVSS 4.0 score of 8.8 reflects a high severity due to network attack vector, no required privileges or user interaction, and high confidentiality impact.
Mitigation Recommendations
Upgrade to line-desktop-mcp version 1.1.2 or later, which fixes the missing authentication issue. Until upgraded, restrict network access to the MCP service port to trusted clients only to prevent unauthorized access. Patch status is not explicitly stated as 'official-fix' in the vendor advisory, but version 1.1.2 is confirmed to fix the vulnerability.
CVE-2026-49357: CWE-306: Missing Authentication for Critical Function in dtwang line-desktop-mcp
Description
Line Desktop MCP is a project that, while unaffiliated with the official line-bot-mcp-server, allows users to directly operate the LINE Desktop application on Windows or Mac via MCP. `line-desktop-mcp` supports a `--http-mode` Streamable HTTP transport for use with clients such as n8n. In this mode the server binds to `0.0.0.0` and exposes the MCP `/mcp` endpoint without an MCP-layer authentication check. Prior to version 1.1.2, any network client that can reach the port can initialize a session, list tools, and call tools that read LINE Desktop chat history or send LINE messages through the already logged-in desktop application. Version 1.1.2 fixes the issue.
CVSS v4.0
Score 8.8high
Affected software
pkg:github/dtwang/line-desktop-mcpRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The line-desktop-mcp project supports an HTTP transport mode (--http-mode) that binds to all network interfaces (0.0.0.0) and exposes the MCP /mcp endpoint without enforcing authentication. This missing authentication (CWE-306) allows any network client with access to the port to initialize a session and invoke tools that interact with the LINE Desktop application, including reading chat history and sending messages. The vulnerability is present in versions before 1.1.2. Version 1.1.2 fixes the issue by presumably adding proper authentication checks.
Potential Impact
An unauthenticated attacker on the network can access sensitive functions of the LINE Desktop application via the exposed MCP endpoint. This includes reading chat history and sending messages as the logged-in user, potentially leading to information disclosure and unauthorized message transmission. The CVSS 4.0 score of 8.8 reflects a high severity due to network attack vector, no required privileges or user interaction, and high confidentiality impact.
Mitigation Recommendations
Upgrade to line-desktop-mcp version 1.1.2 or later, which fixes the missing authentication issue. Until upgraded, restrict network access to the MCP service port to trusted clients only to prevent unauthorized access. Patch status is not explicitly stated as 'official-fix' in the vendor advisory, but version 1.1.2 is confirmed to fix the vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-29T14:35:45.904Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a354cc5f198dc38c158777f
Added to database: 6/19/2026, 2:05:57 PM
Last enriched: 6/19/2026, 2:20:11 PM
Last updated: 6/19/2026, 10:00:10 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.