CVE-2026-7386

A path traversal vulnerability (CWE-22/CWE-73) exists in fatbobman's mail-mcp-bridge,cp-bridge up to version 1.3.3 [1][2]. The cleanup_attachments MCP tool in tool in src/mail_mcp_server.py accepts a list of RFC message IDs but only strips angle brackets before joining each ID with the attachment cache base directory. Traversal sequences such as ../ are not sanitized, allowing the server to resolve a path outside /tmp/mail-mcp-attachments and then recursively delete it via shutil.rmtree() [2]. The same unsafe join is used in extract_attachments.py, making the entire attachment creation flow similarly exploitable [2].

An unauthenticated remote attacker can send crafted message_ids to the cleanup_attachments endpoint, causing the server to delete arbitrary directories on the host file system [2]. No authentication is required because the MCP server exposes these tools directly over the network [1]. The attack has been demonstrated and a PoC published exploit exists, increasing the immediate risk [2].

Successful exploitation allows an attacker to delete any directory writable by the Mail MCP Bridge process (typically the user running the service), potentially destroying email archives, configuration, or application data [2]. This can lead to denial of service or, in some cases, privilege escalation if critical system directories are targeted. The vulnerability does not allow arbitrary file reading or writing—only deletion, but the impact is still classified as High (CVSS 7.3).

The vendor released version 1.3.4 on April 29, 2026, which fixes the issue by encoding Message-ID values into safe directory names and rejecting traversal shapes, as confirmed by regression tests added in commit 638b162b26532e32fa8d8047f638537dbdfe197a [3][4]. Users are strongly advised to upgrade immediately. No workaround other than upgrading has been provided.