CVE-2026-7400

Vulnerability

Details

The is_path_allowed function in server.py of filesystem-mcp-server 1.0.0 performs a path traversal check by comparing the absolute path against a list of allowed paths using Python's str.startswith() method. This prefix-based check is insufficient because a path like /home/alice_backup/loot.txt starts with /home/alice if /home/alice is in the allowed list, even though it resides outside the intended directory. [1]

Exploitation

The vulnerability is reachable via any file operation tool exposed by the MCP server, including read_file_tool, write_file_tool, delete_file_tool, and others. An attacker who can send tool calls to the server (remotely, if the server is network-accessible) can craft paths that bypass the prefix check to access files outside the configured ALLOWED_PATHS. No authentication is required beyond the ability to invoke the MCP tools. [1][2]

Impact

Successful exploitation allows an attacker to read, write, delete, or move arbitrary files on the server's filesystem, limited only by the operating system's permissions. Since the default allowed path is the user's home directory, sibling directories (e.g., /home/alice_backup, /home/bob) or other paths sharing a prefix could be targeted. This could lead to data exfiltration, privilege escalation, or system compromise. [1][2]

Mitigation

The vendor has released version 1.1.0, which includes a fix in commit 45364545fc60dc80aadcd4379f08042d3d3d292e. The fix properly resolves paths and ensures that only paths strictly within the allowed directories are permitted. Users are strongly advised to upgrade to version 1.1.0 or later. [3][4]