High severity7.3NVD Advisory· Published Apr 28, 2026· Updated Apr 29, 2026

CVE-2026-7212

Description

A security vulnerability has been detected in edvardlindelof notes-mcp up to 0.1.4. This affects an unknown function of the file notes_mcp.py. The manipulation of the argument root_dir/path leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Path traversal in notes-mcp up to 0.1.4 allows remote attackers to read, write, or delete arbitrary files outside the configured root directory via crafted path arguments.

Vulnerability

Overview

CVE-2026-7212 is a path traversal vulnerability in edvardlindelof's notes-mcp server up to version 0.1.4. The flaw resides in notes_mcp.py, where file operations (read, write, mkdir, rm, rmdir) construct paths by concatenating the user-supplied path argument with the configured root_dir using root_dir / path without any resolution or boundary check [1][2]. This allows an attacker to inject ../ sequences to escape the intended notes vault.

Exploitation

An attacker who can invoke any of the MCP tools (e.g., through a connected LLM chatbot or direct network access) can supply a path containing ../ to read, write, create, or delete files outside the root_dir [1]. The attack is remotely exploitable as the MCP server is typically exposed to network clients [4]. No authentication is required beyond the ability to call the tools.

Impact

Successful exploitation enables arbitrary file read (exfiltration of sensitive data), arbitrary file write (potential code injection or configuration modification), and arbitrary file deletion (denial of service) on the host filesystem [1]. The impact is limited only by the permissions of the user running the notes-mcp server.

Mitigation

As of the public disclosure date (April 2026), the vendor has not responded to the issue report and no patch is available [1][4]. Users should restrict network access to the MCP server, implement a reverse proxy with path validation, or avoid using the affected versions until a fix is released.

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
notes-mcpPyPI	<= 0.1.4	—

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-vc5j-42hh-j3mrghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-7212ghsaADVISORY
github.com/edvardlindelof/notes-mcp/issues/2nvdWEB
vuldb.com/submit/802084nvdWEB
vuldb.com/vuln/359808nvdWEB
vuldb.com/vuln/359808/ctinvdWEB

News mentions

No linked articles in our index yet.

Severity

HighCVSS v3.1

7.3/ 10

CVSS v45.5

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: None
User interaction: None
Scope: Unchanged
Confidentiality: Low
Integrity: Low
Availability: Low

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS

Probability of exploitation in the next 30 days.

0.06%

VYPR risk score

Composite of severity, exploitation, and reach.

0.47medium

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE ID

CVE-2026-7212

Source code

Credits

S(
SmallW (VulDB User)
reporter
VC
VulDB CNA Team
coordinator