CVE-2026-7237
Received Received - Intake
Path Traversal in AgiFlow scaffold-mcp write-to-file Tool

Publication date: 2026-04-28

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in AgiFlow scaffold-mcp up to 1.0.27. Affected by this issue is some unknown functionality of the file packages/scaffold-mcp/src/server/index.ts of the component write-to-file Tool. The manipulation of the argument file_path results in path traversal. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 1.1.0 can resolve this issue. The patch is identified as c4d23592ae5fb59cfeefc4641e6826f8ac89b9c6. You should upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7237
EUVD
EUVD-2026-26008
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
agiflowai scaffold_mcp to 1.0.27 (inc)
agiflowai scaffold_mcp 1.1.0
agiflowai aicode_toolkit 1.1.0
agiflow scaffold_mcp to 1.0.27 (inc)
agiflow scaffold_mcp 1.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7237 is a vulnerability in the write-to-file tool of the AgiFlow scaffold-mcp package (up to version 1.0.27) that allows an attacker to perform arbitrary file writes through path traversal.

The vulnerability arises because the tool accepts a user-supplied file_path argument and writes content to that path without restricting it to the intended workspace directory. This means an attacker can specify paths that traverse outside the workspace (e.g., using ../ or absolute paths) and write or overwrite arbitrary files that the server process has permission to modify.

The issue is located in the file packages/scaffold-mcp/src/server/index.ts in the write-to-file component. The attack can be launched remotely.

A fix was introduced in version 1.1.0 that enforces strict path validation, ensuring file writes are confined within the workspace directory by rejecting absolute paths and relative paths that attempt to traverse outside the workspace.

Compliance Impact

The vulnerability allows arbitrary file write operations outside the intended workspace directory, which can lead to integrity loss, configuration corruption, or further system compromise.

Such unauthorized file writes could potentially expose or alter sensitive data, thereby impacting compliance with data protection standards and regulations like GDPR or HIPAA that require strict controls over data integrity and confidentiality.

However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.

Impact Analysis

This vulnerability can allow an attacker with access to the MCP interface to write or overwrite arbitrary files on the server that are writable by the server process.

  • Loss of integrity: critical files or configurations can be overwritten or corrupted.
  • Configuration corruption: important system or application configuration files could be modified, potentially disrupting service or enabling further attacks.
  • Further system compromise: by writing malicious files or scripts, an attacker could escalate privileges or execute arbitrary code.

Because the exploit is public and can be launched remotely, systems running vulnerable versions are at risk until they are upgraded or patched.

Detection Guidance

This vulnerability can be detected by attempting to exploit the arbitrary file write issue using the write-to-file tool with a crafted file_path argument that tries to write outside the workspace directory.

A proof-of-concept involves starting the affected server with MCP Inspector and invoking the write-to-file tool with a payload specifying a file path (e.g., /tmp/aicode-toolkit-poc.txt) and content (e.g., AICODE_TOOLKIT_ARBITRARY_FILE_WRITE_20260411).

Verification is done by checking if the specified file is created and contains the attacker-controlled content, demonstrating successful exploitation.

No specific network scanning commands are provided, but testing the write-to-file functionality with suspicious file paths that include absolute paths or path traversal sequences (../) can help detect the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade the affected component @agiflowai/scaffold-mcp to version 1.1.0, which includes a patch that restricts file write operations strictly to paths within the current workspace.

The patch enforces strict path resolution and validation to prevent absolute paths and relative path traversal attempts from escaping the workspace directory.

If upgrading is not immediately possible, avoid exposing the write-to-file tool interface to untrusted users and monitor for suspicious file write attempts involving absolute or traversal paths.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7237. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart