High severity7.3NVD Advisory· Published Apr 28, 2026· Updated Apr 29, 2026

CVE-2026-7205

Description

A vulnerability was identified in duartium papers-mcp-server 9ceb3812a6458ba7922ca24a7406f8807bc55598. Impacted is the function search_papers of the file src/main.py. Such manipulation of the argument topic leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A path traversal vulnerability in duartium papers-mcp-server allows remote attackers to write arbitrary JSON files outside the intended directory via the search_papers MCP tool.

Vulnerability

Overview

The search_papers() function in src/main.py of duartium papers-mcp-server (commit 9ceb3812a6458ba7922ca24a7406f8807bc55598) contains a path traversal vulnerability (CWE-22). The function uses the user-supplied topic argument to construct a directory path under papers/ by lowercasing the string and replacing spaces with underscores, but it does not sanitize or reject path traversal sequences such as ../. This allows an attacker to escape the intended papers/ storage directory [1].

Exploitation

The vulnerability is exploitable remotely by any client that can invoke the search_papers MCP tool. No authentication is required beyond the ability to send MCP tool calls. The server creates the attacker-controlled directory (via os.makedirs(path, exist_ok=True)) and then writes a papers_info.json file into it. A topic like ../../../../tmp/papers_poc causes the server to create or overwrite /tmp/papers_poc/papers_info.json [1]. The exploit is publicly available, and the project has not yet responded to the issue report [1].

Impact

An attacker can write arbitrary JSON content to any location on the filesystem where the server process has write permissions. This could lead to overwriting critical system files, planting malicious configuration files, or achieving code execution if the written file is later executed or loaded by another component. The impact is limited by the fact that the written file is always named papers_info.json and contains attacker-controlled JSON data [1].

Mitigation

As of the report date (April 10, 2026), no fix has been released. The vendor was informed via a GitHub issue but has not responded [1]. Users should avoid exposing the MCP server to untrusted networks and consider restricting access to the search_papers tool until a patch is available.

References

papers-mcp-server Topic-Based Path Traversal / Arbitrary JSON Write Vulnerability

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.06%

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE ID

CVE-2026-7205

Source code

github.com/duartium/papers-mcp-server/

Credits

S(
SmallW (VulDB User)
reporter
VC
VulDB CNA Team
coordinator