CVE-2026-7318

Vulnerability

Overview

CVE-2026-7318 is a path traversal vulnerability (CWE-22) has been identified in elie mcp-project version 0.1.0, specifically in the search_papers function within research_server.py. The function constructs a filesystem path by joining a base directory (PAPER_DIR = "papers") with the user-supplied topic argument after only lowercasing and replacing spaces with underscores. This insufficient sanitization allows directory traversal sequences (e.g., ../) to remain intact, enabling an attacker to escape the intended directory [1].

Exploitation

Conditions

The vulnerability is exploitable locally, requiring the attacker to have the ability to invoke the search_papers tool with a crafted topic argument. No authentication is mentioned as a prerequisite, and the attack does not validate or restrict the input before using it in filesystem operations. The exploit has been publicly disclosed, increasing the risk of active use [1].

Impact

A successful attack allows an attacker to create or overwrite or create a papers_info.json file in an arbitrary location on the host filesystem. This could lead to arbitrary JSON file write, potentially enabling further compromise such as overwriting configuration files or planting malicious data that might be executed or interpreted by other services [1].

Mitigation

Status

The vendor was informed via an issue report on April 10, 2026, but has not yet responded or released a fix. As of the publication date (April 28, 2026), no patched version is available. Users are advised to restrict local access to the affected server or apply input validation to the topic parameter as a workaround [1].