CVE-2026-7398
Received Received - Intake
Path Traversal in BioinfoMCP Upload Endpoint

Publication date: 2026-04-29

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in florensiawidjaja BioinfoMCP up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54. This vulnerability affects the function Upload of the file bioinfo_mcp_platform/app.py of the component Upload Endpoint. This manipulation of the argument Name causes path traversal. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7398
EUVD
EUVD-2026-26274
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
florensiawidjaja bioinfomcp to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Upload function of the bioinfo_mcp_platform/app.py file in florensiawidjaja BioinfoMCP. It involves manipulation of the argument 'Name' which leads to a path traversal issue. This means an attacker can remotely exploit this flaw to access files and directories outside the intended upload directory.

Impact Analysis

The vulnerability allows remote attackers to perform path traversal attacks, potentially accessing or modifying files outside the designated upload area. This can lead to unauthorized disclosure, modification, or deletion of sensitive data, compromising the integrity and confidentiality of the system.

Compliance Impact

The vulnerability allows arbitrary file write through path traversal in the upload endpoint, leading to high integrity risk and potential workflow poisoning.

Such a vulnerability could impact compliance with standards like GDPR and HIPAA by undermining data integrity and potentially enabling unauthorized modification or corruption of sensitive data or system files.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Detection Guidance

This vulnerability can be detected by monitoring for unusual file uploads to the /upload endpoint of the BioinfoMCP platform, especially those containing directory traversal sequences or absolute paths in the filename field.

A practical way to test for this vulnerability is to attempt a crafted file upload using a command like curl that sets the filename to an absolute path or includes directory traversal characters.

Example command to test the vulnerability:

  • curl -v -F "[email protected];filename=/tmp/bioinfomcp_poc.pdf" http://<target-host>/upload

If the file is written outside the intended uploads directory (e.g., /tmp), it indicates the presence of the path traversal vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the BioinfoMCP platform to trusted users only, preventing untrusted users from accessing the upload endpoint.

Additionally, sanitize the filename input by stripping directory separators or using server-generated filenames to avoid path traversal.

Implementing filename sanitization functions such as werkzeug.utils.secure_filename() is recommended to ensure uploaded files are stored safely.

Also, consider adding regression tests to detect path traversal payloads and monitor file writes to detect suspicious activity.

Executive Summary

CVE-2026-7398 is an arbitrary file write vulnerability in the BioinfoMCP platform's upload endpoint. It occurs because the application does not properly sanitize the filename provided in a multipart upload request. Attackers can manipulate the filename argument to include absolute paths or directory traversal sequences, allowing them to write files outside the intended uploads directory.

This vulnerability enables an attacker with network access to the BioinfoMCP web platform to upload files to arbitrary locations on the server, potentially overwriting or creating files that can affect the application's workflow.

The issue arises because the malicious file path is later used by a script within the application, increasing the risk of workflow poisoning or other integrity impacts.

Impact Analysis

This vulnerability primarily impacts the integrity and availability of the system. An attacker can write arbitrary files to the server, potentially overwriting important files or injecting malicious files into the application's workflow.

  • Low confidentiality risk since the vulnerability allows writing files but not reading sensitive data.
  • High integrity risk due to the ability to create or overwrite files arbitrarily.
  • Medium availability risk as the attacker could corrupt files or disrupt workflows, causing denial of service or malfunction.

Exploitation requires network access to the upload endpoint and write permissions on the server for the targeted file paths.

Detection Guidance

This vulnerability can be detected by monitoring for unusual file uploads to the /upload endpoint of the BioinfoMCP platform, especially those containing directory traversal sequences or absolute paths in the filename field.

A practical way to test for the vulnerability is to attempt a crafted file upload using a command like curl that sets the filename to an absolute path or includes directory traversal characters.

For example, the following curl command demonstrates the exploit by uploading a file with a filename set to an absolute path, which if successful indicates the vulnerability is present:

  • curl -v -F "[email protected];filename=/tmp/bioinfomcp_poc.pdf" http://<target-host>/upload

Network monitoring tools can also be configured to detect multipart upload requests with suspicious filename parameters that include directory traversal sequences or absolute paths.

Mitigation Strategies

Immediate mitigation steps include restricting access to the BioinfoMCP platform's upload endpoint to trusted users only, thereby reducing the risk of exploitation by untrusted parties.

Additionally, sanitizing the filename parameter by stripping directory separators or using server-generated filenames can prevent path traversal attacks.

Implementing filename sanitization functions such as werkzeug.utils.secure_filename() is recommended to ensure uploaded filenames do not contain malicious path components.

Further steps include storing uploaded files under randomized or controlled names and adding regression tests to detect path traversal payloads during development.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7398. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart