CVE-2026-7214
Received Received - Intake
Path Traversal in eghuzefa engineer-your-data Server Module

Publication date: 2026-04-28

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in eghuzefa engineer-your-data up to 0.1.3. This vulnerability affects the function read_file/write_file/list_files/file_inf of the file src/server.py. The manipulation of the argument WORKSPACE_PATH leads to path traversal. The attack may be initiated remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7214
EUVD
EUVD-2026-25967
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
eghuzefa engineer-your-data to 0.1.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the "engineer-your-data" project up to version 0.1.3, specifically in the file operations functions read_file, write_file, list_files, and file_info within src/server.py and related files.

The core issue is that these file operation tools do not enforce the configured workspace root boundary defined by the environment variable WORKSPACE_PATH. Instead, they accept arbitrary file paths from callers and operate on them directly without validating whether the paths reside within the designated workspace directory.

This lack of path validation allows an attacker to perform path traversal attacks, accessing or modifying files outside the intended workspace directory. For example, an attacker can read sensitive system files like /etc/hosts or write arbitrary files anywhere the service account has permission.

The vulnerability can be exploited remotely by sending crafted JSON-RPC requests to the affected file operation functions.

Impact Analysis

This vulnerability can have significant security impacts including:

  • Confidentiality impact: Attackers can read arbitrary files on the system, potentially exposing sensitive information.
  • Integrity impact: Attackers can write or modify arbitrary files, potentially altering data or injecting malicious content.
  • Availability impact: Arbitrary writes can disrupt local workflows or system operations, causing partial denial of service.

The exploit can be performed remotely without authentication, increasing the risk of unauthorized access and manipulation.

Detection Guidance

This vulnerability can be detected by attempting to invoke the exposed MCP file operation tools with file paths outside the configured workspace boundary. For example, sending a JSON-RPC request to the read_file function with an absolute path such as "/etc/hosts" can reveal if path traversal is possible.

A practical detection method is to test if the service responds to file operation requests with paths outside the intended workspace. If the service returns file contents or allows writing to arbitrary paths, the vulnerability is present.

  • Send a JSON-RPC request to read_file with "file_path": "/etc/hosts" and check if the contents of /etc/hosts are returned.
  • Attempt to write a file outside the workspace using write_file, for example writing to "/tmp/engineer_your_data_poc.json".
  • Check if list_files or file_info commands accept paths outside the workspace and return information about those files.
Mitigation Strategies

Immediate mitigation steps include enforcing the workspace root directory boundary for all file operations and restricting the permissions of the service account.

  • Configure the service to strictly enforce WORKSPACE_PATH as the root directory and reject any file paths that escape this boundary, including absolute paths and directory traversal sequences.
  • Run the service under a restricted user account with limited file system permissions to minimize potential damage.
  • Disable file-writing tools in untrusted or exposed environments until a proper fix is applied.
  • Use allowlists to restrict which paths can be read or written by the service.
Compliance Impact

This vulnerability allows attackers to read and write arbitrary files on the system by bypassing the intended workspace boundary restrictions. Such unauthorized access and modification of files can lead to exposure or alteration of sensitive data.

Because of the high confidentiality and integrity impact, this vulnerability could result in non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Specifically, the ability to read arbitrary files may lead to unauthorized disclosure of personal data, violating confidentiality requirements, while the ability to write arbitrary files could compromise data integrity and availability, both critical aspects under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7214. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart