CVE-2026-7213

Vulnerability

Analysis

The vulnerability resides in the save_file tool within fastmcp_server.py of MLOps_MCP 1.0.0. The tool accepts caller-controlled filename and destination parameters. It constructs the destination path by joining os.getcwd() with the user-supplied destination using os.path.join(), without any canonicalization or validation. This allows an attacker to supply an absolute path (e.g., /tmp/) or traversal sequences (e.g., ../../) to escape the intended project workspace [1].

Exploitation

The attack is remotely exploitable via the MCP protocol. An attacker can send a crafted request to the save_file tool with a destination argument containing path traversal sequences or an absolute path. The server then creates the directory tree specified by the attacker and writes the uploaded file content to the attacker-controlled path. No authentication is required, as the MCP server is designed to accept commands from any connected client [1][2].

Impact

Successful exploitation allows an attacker to write arbitrary files to any location on the server filesystem that the server process has write access to. This could lead to overwriting critical system files, planting malicious scripts (e.g., a cron job or web shell), or modifying application configuration. The severity is high (CVSS 7.3) due to the potential for remote code execution or privilege escalation [1].

Mitigation

As of the report date (April 10, 2026), the vendor has not responded to the issue report and no patch is available. The exploit has been publicly disclosed. Users should restrict network access to the MCP server and consider disabling the save_file tool until a fix is released [1].