CVE-2026-7386
Path Traversal in mail-mcp-bridge
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fatbobman | mail_mcp_bridge | to 1.3.4 (exc) |
| fatbobman | mail_mcp_bridge | 1.3.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in the fatbobman mail-mcp-bridge software up to version 1.3.3, specifically in an unknown function within the file src/mail_mcp_server.py. It involves manipulation of the argument message_ids, which can lead to a path traversal attack. This means an attacker can remotely exploit this flaw to access files or directories outside the intended scope.
The vulnerability can be exploited remotely without any authentication, and an exploit has already been published. Upgrading to version 1.3.4, which includes a patch, resolves this issue.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform a path traversal attack remotely, potentially accessing sensitive files or directories on the affected system that should not be accessible. This can lead to unauthorized disclosure of information, modification, or deletion of files, which may compromise the integrity and confidentiality of the system.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to upgrade the affected component, fatbobman mail-mcp-bridge, to version 1.3.4 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-7386 involves a path traversal flaw that allows remote attackers to manipulate message IDs to perform unauthorized directory deletions and access. This can lead to integrity and availability issues by deleting critical directories or files.
While the provided context and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the integrity and availability impacts caused by this vulnerability could potentially affect compliance. For example, unauthorized deletion or manipulation of email data could violate data protection and security requirements mandated by these regulations.
Mitigations such as upgrading to version 1.3.4, which includes secure handling of attachment paths and input validation, help reduce the risk of data loss or unauthorized access, thereby supporting compliance efforts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves path traversal via manipulation of the message_ids argument, which can lead to unauthorized directory deletion or access. Detection involves monitoring for suspicious message ID inputs containing path traversal sequences such as "../" or other directory escape tokens.
To detect exploitation attempts or vulnerable usage on your system, you can search logs or inputs for message IDs containing traversal patterns. For example, you can use commands to find such patterns in logs or input files.
- grep -r '\.\./' /path/to/mail-mcp-bridge/logs
- grep -r '\.\./' /path/to/mail-mcp-bridge/data
Additionally, monitoring filesystem activity for unexpected directory deletions or modifications outside the intended attachment directories can help detect exploitation.
Since the vulnerability is triggered by crafted message IDs passed to the cleanup or extraction tools, restricting or logging calls to these tools and validating inputs for path traversal tokens is recommended.
Can you explain this vulnerability to me?
CVE-2026-7386 is a path traversal vulnerability found in the fatbobman mail-mcp-bridge software up to version 1.3.3. The flaw exists in an unknown function within the file src/mail_mcp_server.py, where manipulation of the argument message_ids allows an attacker to traverse directories outside the intended path.
This vulnerability can be exploited remotely by sending crafted message IDs containing path traversal sequences like "../". This can lead to unauthorized access or deletion of files and directories outside the expected scope.
The issue was fixed in version 1.3.4 by implementing secure handling of attachment paths, including normalizing and encoding Message-ID values to prevent directory traversal, and validating that constructed paths remain within the intended base directory.
How can this vulnerability impact me? :
This vulnerability can have significant impacts on the integrity and availability of your system. An attacker can exploit the path traversal flaw to delete arbitrary directories and files outside the intended attachment directory by submitting specially crafted message IDs.
Such unauthorized deletions can disrupt normal operations, cause data loss, and potentially affect critical system or application files if the attacker has sufficient filesystem permissions.
The confidentiality impact is considered low, but the ability to delete important directories remotely without authentication poses a high risk to system stability and data integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves path traversal via manipulation of message_ids leading to unauthorized directory access and deletion. Detection involves monitoring for suspicious message_id inputs containing path traversal sequences such as "../" or other directory escape tokens.
You can check logs or inputs to the mail-mcp-bridge cleanup tool or attachment extraction processes for message IDs containing path traversal patterns.
Suggested commands to detect potential exploitation attempts include searching for suspicious message IDs in logs or runtime inputs, for example:
- grep -r '\.\./' /path/to/mail-mcp-bridge/logs
- grep -r 'message_id=.*\.\./' /var/log/syslog
- Monitor filesystem changes or deletions in directories adjacent to the mail-mcp-bridge attachment directories using tools like inotifywait or auditd.
Additionally, reviewing the source or running tests similar to those in the test_attachment_path_safety.py can help verify if the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the mail-mcp-bridge component to version 1.3.4 or later, which includes a patch that securely handles attachment paths and prevents path traversal.
Until the upgrade can be applied, restrict access to the vulnerable cleanup and attachment extraction tools to trusted users only.
Implement input validation to reject message IDs containing path traversal sequences or path separators.
Enforce directory containment checks before performing any filesystem operations to ensure paths remain within intended directories.
Monitor and audit usage of the mail-mcp-bridge tools to detect any suspicious activity or attempts to exploit the vulnerability.