CVE-2026-7272
Description
Path traversal in matlab-mcp-server up to commit ab88f6b allows remote attackers to write arbitrary files via the scriptPath argument.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Path traversal in matlab-mcp-server up to commit ab88f6b allows remote attackers to write arbitrary files via the scriptPath argument.
Vulnerability
A path traversal vulnerability (CWE-22) exists in WilliamCloudQi matlab-mcp-server up to commit ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca. The affected functions generate_matlab_code and execute_matlab_code in src/index.ts accept a user-supplied scriptPath argument and use it directly as a filesystem write target without enforcing a safe base directory, rejecting absolute paths, or restricting parent-directory traversal [1][2]. The server is designed to execute MATLAB code and generate scripts from natural language descriptions, and the vulnerability is reachable through the MCP interface without authentication [3].
Exploitation
An attacker with network access to the MCP interface can send a crafted request containing a scriptPath value that includes directory traversal sequences (e.g., ../) or absolute paths. The server will then write attacker-controlled content to that arbitrary path using fs.writeFileSync [1][2]. No authentication or user interaction is required beyond network connectivity to the exposed MCP endpoint. A proof-of-concept has been published and may be used by attackers [1][2].
Impact
Successful exploitation allows an attacker to write arbitrary content to any filesystem path writable by the server process. This can lead to integrity loss, configuration corruption, overwriting of critical files, or potentially remote code execution if the written file can be executed or interpreted (e.g., overwriting server scripts or system files). The server process privileges determine the scope of damage.
Mitigation
As of the report date (April 12, 2026), no fixed version is available [1][2]. The project was informed via an issue report but has not responded [1]. Users should restrict network access to the MCP interface to trusted hosts only, or disable the server until a patched version is released. The vulnerability is not currently listed in CISA KEV.
- Arbitrary File Write Vulnerability in matlab-mcp-server
- Arbitrary File Write Vulnerability in matlab-mcp-server
- GitHub - WilliamCloudQi/matlab-mcp-server: The MATLAB MCP server provides AI users with powerful scientific computing and data analysis capabilities. It allows users to execute MATLAB code directly in conversations, generate MATLAB scripts from natural language descriptions, and access MATLAB documentation.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in `src/index.ts` allows a user-supplied `scriptPath` argument to reach `fs.writeFileSync` and `fs.copyFileSync` sinks without enforcing a safe base directory or rejecting path traversal sequences [CWE-22][ref_id=1][ref_id=2]."
Attack vector
An attacker with network access to the MCP interface sends a crafted JSON-RPC request to either the `generate_matlab_code` or `execute_matlab_code` tool, supplying an arbitrary `scriptPath` argument such as `/tmp/poc.txt` or `../../etc/cron.d/malicious` [ref_id=1][ref_id=2]. The server uses this user-supplied path directly as a filesystem write target without enforcing a safe base directory, rejecting absolute paths, or restricting parent-directory traversal [CWE-22]. The server process then writes attacker-influenced content (the generated MATLAB code or a copied temporary file) to the attacker-chosen location, enabling arbitrary file write [ref_id=1][ref_id=2]. No authentication is required, and MATLAB installation is not needed to reproduce the `generate_matlab_code` write primitive [ref_id=1].
Affected code
The vulnerability resides in `src/index.ts`. The `generate_matlab_code` tool at line 406 reads `scriptPath` from the request arguments and passes it to line 422–423 where `fs.writeFileSync(targetPath, generatedCode)` writes attacker-controlled content to that path without validation. Similarly, `execute_matlab_code` at line 361 reads `scriptPath` and propagates it to line 84–85 where `fs.copyFileSync(tempFile, targetPath)` writes a temporary file to the attacker-supplied path [ref_id=1][ref_id=2].
What the fix does
No patch has been published by the vendor; the project was informed via an issue report but has not responded [ref_id=1][ref_id=2]. The recommended fix is to resolve `scriptPath` with `path.resolve` against a trusted base directory and then verify the resolved path stays within that directory using path-aware boundary checks [ref_id=1]. Absolute paths should be rejected unless explicitly allowlisted, and if arbitrary output paths are not required, the `scriptPath` parameter should be removed entirely in favor of server-controlled filenames under a safe temporary directory [ref_id=1][ref_id=2].
Preconditions
- networkAttacker can invoke MCP tools exposed by the affected matlab-mcp-server instance (generate_matlab_code or execute_matlab_code)
- configThe server process has filesystem write permission to the attacker-chosen target path
- configNo effective authentication, authorization, sandbox, or runtime policy blocks attacker-controlled absolute paths before the file write sink
- inputThe scriptPath argument is user-supplied and accepted without validation
Reproduction
1. Start the affected server with MCP Inspector: `cd matlab-mcp-server && npm install && npm run build && npx @modelcontextprotocol/inspector node build/index.js` [ref_id=1][ref_id=2]. 2. Call the `generate_matlab_code` tool with arguments: `{"description": "POC_ARBITRARY_FILE_WRITE_TXT", "saveScript": true, "scriptPath": "/tmp/poc.txt"}` [ref_id=1][ref_id=2]. 3. Confirm the file `/tmp/poc.txt` exists and contains the text `POC_ARBITRARY_FILE_WRITE_TXT` [ref_id=1][ref_id=2].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.