CVE-2026-7384

Vulnerability

Overview

The search_papers function in research_server.py of the ezequiroga mcp-bases project contains a path traversal vulnerability (CWE-22). The function accepts a user-controlled topic argument and constructs a filesystem path by joining the papers/ directory with the lowercased, space-replaced topic string. No canonicalization or boundary check is applied, so traversal sequences like ../ are preserved. This allows an attacker to escape the intended storage directory [1].

Exploitation

An attacker can send a crafted topic parameter containing ../ sequences to the MCP server. The server will create the corresponding directory (e.g., papers/../escape-test) and later write a papers_info.json file into that escaped location. The resource handler papers://{topic} uses the same unsafe path construction, enabling reading of files outside the intended scope. The exploit does not require authentication, as the MCP server is typically exposed to clients [1]. The exploit code has been made public, increasing the immediate risk [1].

Impact

Successful exploitation allows an attacker to create arbitrary directories and write JSON files anywhere the server process has write permissions. This could lead to overwriting configuration files, planting malicious data, or other unauthorized file operations. The project's rolling release model means no specific version numbers are provided, but the vulnerability exists in the scanned revision and likely in all revisions with the same path construction [1][2].

Mitigation

As of the publication date, the vendor has not responded to the issue report and no patch is available [1]. Users should monitor the project repository for updates. As a workaround, restrict network access to the MCP server to trusted clients only, or implement input validation to reject path traversal sequences in the topic parameter [1][2].