CVE-2026-7398
Description
A weakness has been identified in florensiawidjaja BioinfoMCP up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54. This vulnerability affects the function Upload of the file bioinfo_mcp_platform/app.py of the component Upload Endpoint. This manipulation of the argument Name causes path traversal. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A path traversal vulnerability in BioinfoMCP's POST /upload endpoint allows remote attackers to write arbitrary files by controlling the multipart filename.
Vulnerability
Overview
A path traversal vulnerability has been identified in the BioinfoMCP platform up to commit 7ada7918b9e515604d3c0ae264d3a9af10bf6e54. The flaw resides in the Upload function of bioinfo_mcp_platform/app.py, specifically in the POST /upload endpoint. The application constructs a file path by joining a fixed upload directory with the client-supplied filename from the multipart upload, without sanitizing or validating the filename. This allows an attacker to include path traversal sequences (e.g., ../) or absolute paths, leading to arbitrary file write outside the intended uploads directory [1][2].
Attack
Vector and Exploitation
The attack is remotely exploitable and requires no authentication. An attacker can send a crafted multipart POST request to the /upload endpoint, providing a filename containing traversal characters or an absolute path. The server then saves the uploaded file to the attacker-controlled location and subsequently passes that path into the conversion path into the scripts/do_sth.py workflow, meaning the malicious file is not only written but also processed by the platform's conversion pipeline [2]. The exploit has been publicly disclosed, increasing the risk of exploitation.
Impact
Successful exploitation allows an attacker to write arbitrary files to the server filesystem. Depending on the write location, this could lead to overwriting critical application files, injecting malicious code (e.g., Python scripts that could be executed), or causing denial of service. Since the written file is also used as input for further processing, the impact may extend to compromising the integrity of the conversion workflow [2].
Mitigation
Status
As of the publication date, no patched version has been released. The project uses continuous delivery with rolling releases, and the vendor was notified via an issue report but has not responded [1][2]. Users should monitor the repository for updates and consider restricting access to the upload endpoint or implementing input validation on filenames as a temporary workaround.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <= 7ada7918b9e515604d3c0ae264d3a9af10bf6e54
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.