CVE-2026-7445

The vulnerability resides in the MCP log resource handling code of ZMCPTools, specifically in src/managers/ResourceManager.ts. The resources/read handler processes a user-controlled logs://{dirname}/content?file={filename} URI and constructs a filesystem path without validating that the resolved path remains within the intended log directory [2][3]. This lack of input sanitization constitutes a classic path traversal flaw (CWE-22).

An attacker with access to the MCP interface can supply ../ sequences in the dirname parameter, causing the server to resolve paths outside the designated log folder. The untrusted input flows from the URI originates from a request handled in McpServer.ts (lines 540–544) and propagates through the resource manager's URI parsing and file reading routines [2][3]. No authentication is required beyond the ability to send requests to the MCP server.

The impact is arbitrary local file disclosure. An attacker could read sensitive system files (e.g., /etc/hosts) or other files accessible to the server process [2][3]. As ZMCPTools is designed for multi-agent orchestration and often run with heightened permissions (the project documentation advises using --dangerously-skip-permissions), the potential for exposure of accessing credentials or configuration files is elevated [1].

The vulnerability was responsibly disclosed to the project maintainer via an issue report on April 14, 2026, but no fix has been released as of the publication date CVE publication date [2][3]. Users should restrict network access to the MCP server and monitor the repository for a patched version.