CVE-2026-7237
Description
A vulnerability was detected in AgiFlow scaffold-mcp up to 1.0.27. Affected by this issue is some unknown functionality of the file packages/scaffold-mcp/src/server/index.ts of the component write-to-file Tool. The manipulation of the argument file_path results in path traversal. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 1.1.0 can resolve this issue. The patch is identified as c4d23592ae5fb59cfeefc4641e6826f8ac89b9c6. You should upgrade the affected component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal vulnerability in the write-to-file tool of AgiFlow scaffold-mcp (≤1.0.27) allows remote attackers to write arbitrary files outside the intended workspace.
Vulnerability
Overview
CVE-2026-7237 is a path traversal vulnerability (CWE-22) in the write-to-file tool of @agiflowai/scaffold-mcp (up to and including version 1.0.27). The vulnerability resides in the handling of the file_path argument within packages/scaffold-mcp/src/server/index.ts. The tool accepted absolute paths as-is and resolved relative paths against the current working directory without enforcing any workspace or base-directory boundary, allowing file writes to arbitrary locations on the filesystem [1][4].
Exploitation
The attack is remotely exploitable by any user able to call the MCP interface. An attacker can send a crafted request to the write-to-file tool with an arbitrary file_path and attacker-controlled content. Public exploit code demonstrates writing a file to /tmp/aicode-toolkit-poc.txt using the MCP Inspector [4]. No authentication is required beyond normal MCP access.
Impact
Successful exploitation allows an attacker to write or overwrite arbitrary files writable by the server process. This can lead to integrity loss, configuration corruption, or further compromise of the system [1][4]. The CVSS v3 score is 7.1 of 7.3 (High) reflects the medium attack complexity but high confidentiality and integrity impact.
Mitigation
The vulnerability is patched in version 1.1.0 of @agiflowai/scaffold-mcp, which restricts file writes to the designated workspace directory [2][3]. The fix commit c4d23592ae5fb59cfeefc4641e6826f8ac89b9c6 adds workspace boundary enforcement [2]. Users should immediately upgrade to version 1.1.0 or later.
- fix(scaffold-mcp): restrict write-to-file to workspace by vuongngo · Pull Request #89 · AgiFlow/aicode-toolkit
- Merge pull request #89 from AgiFlow/fix/issue-88-scaffold-write-boundary · AgiFlow/aicode-toolkit@c4d2359
- Release @agiflowai/aicode-toolkit@1.1.0 · AgiFlow/aicode-toolkit
- Arbitrary File Write Vulnerability in write-to-file of @agiflowai/scaffold-mcp
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.0.27
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/AgiFlow/aicode-toolkit/commit/c4d23592ae5fb59cfeefc4641e6826f8ac89b9c6nvd
- github.com/AgiFlow/aicode-toolkit/issues/88nvd
- github.com/AgiFlow/aicode-toolkit/pull/89nvd
- github.com/AgiFlow/aicode-toolkit/releases/tag/%40agiflowai/aicode-toolkit%401.1.0nvd
- vuldb.com/submit/802836nvd
- vuldb.com/vuln/359845nvd
- vuldb.com/vuln/359845/ctinvd
News mentions
0No linked articles in our index yet.