CVE-2026-49357
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk24th percentile - higher than 24% of all known CVEs
Summary
The vulnerability in Line Desktop MCP allows unauthorized network clients to access features of the LINE Desktop application on Windows and Mac. In `--http-mode`, the server does not require authentication, enabling session initiation and access to chat history and message sending.
Risk Assessment
Organizations may be exposed to unauthorized access to user data and the ability to send messages on behalf of users, potentially leading to privacy and security breaches.
Recommendation
It is recommended to update to version 1.1.2 or later to mitigate this vulnerability. Additionally, restrict access to the server port to trusted clients only.
Original NVD description (English source)
Line Desktop MCP is a project that, while unaffiliated with the official line-bot-mcp-server, allows users to directly operate the LINE Desktop application on Windows or Mac via MCP. `line-desktop-mcp` supports a `--http-mode` Streamable HTTP transport for use with clients such as n8n. In this mode the server binds to `0.0.0.0` and exposes the MCP `/mcp` endpoint without an MCP-layer authentication check. Prior to version 1.1.2, any network client that can reach the port can initialize a session, list tools, and call tools that read LINE Desktop chat history or send LINE messages through the already logged-in desktop application. Version 1.1.2 fixes the issue.

