CVE-2026-7237
Path Traversal in AgiFlow scaffold-mcp write-to-file Tool
Publication date: 2026-04-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| agiflowai | scaffold_mcp | to 1.0.27 (inc) |
| agiflowai | scaffold_mcp | 1.1.0 |
| agiflowai | aicode_toolkit | 1.1.0 |
| agiflow | scaffold_mcp | to 1.0.27 (inc) |
| agiflow | scaffold_mcp | 1.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary file write operations outside the intended workspace directory, which can lead to integrity loss, configuration corruption, or further system compromise.
Such unauthorized file writes could potentially expose or alter sensitive data, thereby impacting compliance with data protection standards and regulations like GDPR or HIPAA that require strict controls over data integrity and confidentiality.
However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.
Can you explain this vulnerability to me?
CVE-2026-7237 is a vulnerability in the write-to-file tool of the AgiFlow scaffold-mcp package (up to version 1.0.27) that allows an attacker to perform arbitrary file writes through path traversal.
The vulnerability arises because the tool accepts a user-supplied file_path argument and writes content to that path without restricting it to the intended workspace directory. This means an attacker can specify paths that traverse outside the workspace (e.g., using ../ or absolute paths) and write or overwrite arbitrary files that the server process has permission to modify.
The issue is located in the file packages/scaffold-mcp/src/server/index.ts in the write-to-file component. The attack can be launched remotely.
A fix was introduced in version 1.1.0 that enforces strict path validation, ensuring file writes are confined within the workspace directory by rejecting absolute paths and relative paths that attempt to traverse outside the workspace.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with access to the MCP interface to write or overwrite arbitrary files on the server that are writable by the server process.
- Loss of integrity: critical files or configurations can be overwritten or corrupted.
- Configuration corruption: important system or application configuration files could be modified, potentially disrupting service or enabling further attacks.
- Further system compromise: by writing malicious files or scripts, an attacker could escalate privileges or execute arbitrary code.
Because the exploit is public and can be launched remotely, systems running vulnerable versions are at risk until they are upgraded or patched.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the arbitrary file write issue using the write-to-file tool with a crafted file_path argument that tries to write outside the workspace directory.
A proof-of-concept involves starting the affected server with MCP Inspector and invoking the write-to-file tool with a payload specifying a file path (e.g., /tmp/aicode-toolkit-poc.txt) and content (e.g., AICODE_TOOLKIT_ARBITRARY_FILE_WRITE_20260411).
Verification is done by checking if the specified file is created and contains the attacker-controlled content, demonstrating successful exploitation.
No specific network scanning commands are provided, but testing the write-to-file functionality with suspicious file paths that include absolute paths or path traversal sequences (../) can help detect the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the affected component @agiflowai/scaffold-mcp to version 1.1.0, which includes a patch that restricts file write operations strictly to paths within the current workspace.
The patch enforces strict path resolution and validation to prevent absolute paths and relative path traversal attempts from escaping the workspace directory.
If upgrading is not immediately possible, avoid exposing the write-to-file tool interface to untrusted users and monitor for suspicious file write attempts involving absolute or traversal paths.