CVE-2026-7212
Received Received - Intake
Path Traversal in edvardlindelof notes-mcp Allows Remote Exploitation

Publication date: 2026-04-28

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security vulnerability has been detected in edvardlindelof notes-mcp up to 0.1.4. This affects an unknown function of the file notes_mcp.py. The manipulation of the argument root_dir/path leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7212
EUVD
EUVD-2026-25965
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
edvardlindelof notes-mcp 0.1.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7212 is a directory traversal vulnerability in the notes-mcp tool, specifically in the file notes_mcp.py. The vulnerability arises because the application concatenates a user-controlled path argument directly onto a configured root directory path without properly resolving or validating that the resulting path stays within the intended root directory.

This improper handling allows an attacker to include traversal sequences like "../" in the path parameter, enabling them to access, read, write, create, or delete files outside the designated notes directory. The vulnerability affects multiple file operations such as read, write, mkdir, rm, and rmdir.

The root cause is the lack of path canonicalization and boundary checks before performing file system operations, which means the server trusts the user input path without ensuring it is confined to the root directory.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access and modification of files outside the intended directory. An attacker can read sensitive files, overwrite or create arbitrary files, and delete files or directories if the service account has sufficient filesystem permissions.

The confidentiality and integrity of the system are highly at risk because attackers can access and alter arbitrary files. Availability is also impacted to a medium degree due to the potential deletion of files or directories.

Since the attack can be carried out remotely without authentication, it poses a critical risk to systems running the vulnerable notes-mcp server, especially if it is exposed to untrusted networks.

Detection Guidance

This vulnerability can be detected by testing the notes-mcp server's handling of file path arguments, specifically by attempting path traversal sequences such as "../" in the root_dir/path parameter.

You can try invoking the MCP tools (read, write, mkdir, rm, rmdir) with paths containing traversal sequences to see if files outside the intended root directory can be accessed or modified.

For example, using the write tool with a path like "../../../../tmp/notes_mcp_escape.md" to check if the server writes outside the root directory, or reading "../../../../etc/hosts" to check if sensitive files can be disclosed.

Since the server is implemented in Python, you might also inspect the source code for usage of path concatenation without proper resolution or boundary checks, such as calls to (root_dir / path) without resolve() or is_relative_to() checks.

Mitigation Strategies

Immediate mitigation steps include canonicalizing and resolving all file paths before use, and rejecting any paths that escape the root directory boundary.

  • Replace all direct path concatenations like (root_dir / path) with resolved paths, e.g., candidate = (root_dir / path).resolve().
  • Enforce boundary checks such as candidate.is_relative_to(root_dir.resolve()) before performing any file operations.
  • Restrict the filesystem permissions of the service account running the notes-mcp server to limit access outside the intended directories.
  • Disable destructive tools like rm and rmdir in untrusted environments to reduce risk.
  • Run the notes-mcp server only in trusted local workflows until a proper fix is applied.
Compliance Impact

The vulnerability allows attackers to perform path traversal, enabling arbitrary file read, write, creation, and deletion outside the intended root directory. This can lead to unauthorized access and modification of sensitive files, which may include personal data or protected health information depending on the deployment context.

Such unauthorized access and data manipulation can compromise confidentiality, integrity, and availability of data, potentially violating compliance requirements under standards like GDPR and HIPAA that mandate strict controls over personal and sensitive information.

Therefore, if the notes-mcp server is used in environments subject to these regulations, this vulnerability poses a significant risk to compliance by exposing data to unauthorized parties and risking data integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7212. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart