CVE-2026-7212
Path Traversal in edvardlindelof notes-mcp Allows Remote Exploitation
Publication date: 2026-04-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| edvardlindelof | notes-mcp | 0.1.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7212 is a directory traversal vulnerability in the notes-mcp tool, specifically in the file notes_mcp.py. The vulnerability arises because the application concatenates a user-controlled path argument directly onto a configured root directory path without properly resolving or validating that the resulting path stays within the intended root directory.
This improper handling allows an attacker to include traversal sequences like "../" in the path parameter, enabling them to access, read, write, create, or delete files outside the designated notes directory. The vulnerability affects multiple file operations such as read, write, mkdir, rm, and rmdir.
The root cause is the lack of path canonicalization and boundary checks before performing file system operations, which means the server trusts the user input path without ensuring it is confined to the root directory.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access and modification of files outside the intended directory. An attacker can read sensitive files, overwrite or create arbitrary files, and delete files or directories if the service account has sufficient filesystem permissions.
The confidentiality and integrity of the system are highly at risk because attackers can access and alter arbitrary files. Availability is also impacted to a medium degree due to the potential deletion of files or directories.
Since the attack can be carried out remotely without authentication, it poses a critical risk to systems running the vulnerable notes-mcp server, especially if it is exposed to untrusted networks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the notes-mcp server's handling of file path arguments, specifically by attempting path traversal sequences such as "../" in the root_dir/path parameter.
You can try invoking the MCP tools (read, write, mkdir, rm, rmdir) with paths containing traversal sequences to see if files outside the intended root directory can be accessed or modified.
For example, using the write tool with a path like "../../../../tmp/notes_mcp_escape.md" to check if the server writes outside the root directory, or reading "../../../../etc/hosts" to check if sensitive files can be disclosed.
Since the server is implemented in Python, you might also inspect the source code for usage of path concatenation without proper resolution or boundary checks, such as calls to (root_dir / path) without resolve() or is_relative_to() checks.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include canonicalizing and resolving all file paths before use, and rejecting any paths that escape the root directory boundary.
- Replace all direct path concatenations like (root_dir / path) with resolved paths, e.g., candidate = (root_dir / path).resolve().
- Enforce boundary checks such as candidate.is_relative_to(root_dir.resolve()) before performing any file operations.
- Restrict the filesystem permissions of the service account running the notes-mcp server to limit access outside the intended directories.
- Disable destructive tools like rm and rmdir in untrusted environments to reduce risk.
- Run the notes-mcp server only in trusted local workflows until a proper fix is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to perform path traversal, enabling arbitrary file read, write, creation, and deletion outside the intended root directory. This can lead to unauthorized access and modification of sensitive files, which may include personal data or protected health information depending on the deployment context.
Such unauthorized access and data manipulation can compromise confidentiality, integrity, and availability of data, potentially violating compliance requirements under standards like GDPR and HIPAA that mandate strict controls over personal and sensitive information.
Therefore, if the notes-mcp server is used in environments subject to these regulations, this vulnerability poses a significant risk to compliance by exposing data to unauthorized parties and risking data integrity.