CVE-2026-7206
SQL Injection in dubydu sqlite-mcp extract_to_json Function
Publication date: 2026-04-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dubydu | sqlite-mcp | to 0.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability CVE-2026-7206 affects the extract_to_json function in the sqlite-mcp project. It allows an attacker to perform a path traversal attack by manipulating the output_filename argument, enabling arbitrary JSON file writes outside the intended database directory. Although the tool enforces a .json suffix, it does not properly canonicalize or restrict the output path, so an attacker can specify paths like ../../../../tmp/sqlite_dump.json to write database contents to arbitrary writable locations accessible by the service account.
This flaw can lead to leakage of database contents (confidentiality impact), overwriting arbitrary .json files (integrity impact), and potentially affect availability depending on the files overwritten. The vulnerability also involves a risk of SQL injection through the table_name parameter, which was addressed in the patch.
The recommended fix involves sanitizing filenames to prevent directory traversal, validating output paths to ensure they remain within the database directory, and validating the table_name parameter to prevent SQL injection.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to write arbitrary JSON files containing database contents to any writable location accessible by the service running sqlite-mcp. This can lead to unauthorized disclosure of sensitive database information, compromising confidentiality.
Additionally, an attacker could overwrite important JSON files, affecting data integrity, and potentially disrupt system operations or services by overwriting critical files, impacting availability.
Because the exploit can be triggered remotely without authentication, it increases the risk of unauthorized access and manipulation of data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unusual or unauthorized use of the `extract_to_json` function, especially calls that attempt to write JSON files outside the intended database directory via path traversal sequences in the `output_filename` parameter.
A proof of concept involves invoking the tool with an escaped output path such as `../../../../tmp/sqlite_mcp_dump.json` which causes the database dump to be written outside the repository or database directory.
To detect exploitation attempts, you can look for file creation or modification events in unexpected directories (e.g., `/tmp/`) with `.json` files related to sqlite-mcp.
Suggested commands for detection include:
- Using system audit or file monitoring tools (e.g., `auditctl` on Linux) to watch for writes to `.json` files outside the database directory.
- Searching logs or monitoring JSON-RPC calls to the MCP server for suspicious `output_filename` parameters containing directory traversal patterns like `../`.
- Using commands like `find /tmp -name '*.json' -mtime -1` to find recently created JSON files in temporary or unusual locations.
- If you have access to the MCP server logs or can intercept JSON-RPC requests, inspect calls to `extract_to_json` for unsafe output paths.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to apply the official patch identified by commit a5580cb992f4f6c308c9ffe6442b2e76709db548 which addresses both path traversal and SQL injection vulnerabilities.
Key immediate mitigation steps include:
- Sanitize and restrict user-supplied output filenames by stripping directory components (e.g., using `os.path.basename()`) to prevent directory traversal.
- Ensure all file writes are anchored within a fixed, allowlisted database directory and validate absolute paths to prevent escapes.
- Validate the `table_name` parameter to ensure it is a valid identifier and prevent SQL injection.
- Run the MCP server with minimal filesystem privileges to limit the impact of any exploitation.
- Avoid allowing user-controlled output paths if possible.
If patching immediately is not possible, monitor for suspicious activity as described and restrict access to the MCP server to trusted users only.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to write arbitrary JSON files containing database contents outside the intended directory, potentially leaking sensitive data. This impacts confidentiality, integrity, and availability of the database contents.
Such unauthorized data exposure and manipulation could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive data confidentiality and integrity.
Specifically, the ability to extract and write database contents arbitrarily increases the risk of data breaches, which are critical compliance violations under these standards.
Mitigations such as restricting file writes to fixed directories, validating output paths, and minimizing filesystem privileges are necessary to maintain compliance.