CVE-2026-7319

Vulnerability

Overview

A path traversal vulnerability (CWE-22) exists in elinsky execution-system-mcp version 0.1.0. The flaw resides in the _get_context_file_path function within src/execution_system_mcp/server.py, which constructs file paths by directly concatenating user-supplied context strings without canonicalization [2]. Additionally, the complete_action tool's file_path parameter only checks for a prefix of @ or contexts/, allowing traversal sequences like ../../../../../../tmp/poc to escape the intended repository root [2].

Exploitation

The attack can be initiated remotely without authentication, as the MCP server is designed to accept natural-language commands over a network [1]. An attacker can send crafted context or file_path arguments to the add_action or complete_action tools, causing the server to read from or write to arbitrary markdown files outside the configured execution_system_repo_path [2]. The exploit has been publicly disclosed, increasing the immediate risk.

Impact

Successful exploitation allows an attacker to read sensitive markdown files (e.g., configuration, notes) or write malicious content to arbitrary locations on the filesystem, potentially leading to data leakage or further compromise. Since the server operates with the privileges of the user running it, the impact could extend to system-level access if the server runs with elevated permissions.

Mitigation

As of the report date (April 10, 2026), no official fix is available [2]. Users should restrict network access to the MCP server, implement input validation for context and file_path parameters, or apply a patch that canonicalizes paths and ensures they remain within the allowed directory. The open-source nature of the project allows for community-driven fixes.