CVE-2026-8116
Path Traversal in xiaozhi-mcphub Application
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| huangjunsen0406 | xiaozhi-mcphub | to 1.0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8116 is a Path Traversal vulnerability in the xiaozhi-mcphub project affecting the authenticated DXT upload handler.
The vulnerability occurs because the application uses an untrusted value from the manifest.json file (manifest.name) to construct the extraction directory path without proper sanitization or validation.
An attacker who can upload a crafted .dxt file with a malicious manifest.name containing path traversal sequences (like "../../") can manipulate the extraction path to move files outside the intended upload directory.
This can be exploited remotely by an authenticated user who has access to the DXT upload route.
How can this vulnerability impact me? :
This vulnerability allows an attacker to place or overwrite files outside the intended upload directory, potentially disrupting application data or runtime files.
The security impact includes high risks to integrity and availability of the system.
Confidentiality impact is considered low.
If exploited, the attacker could disrupt the normal operation of the application by modifying or replacing critical files.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a path traversal attack via the manifest.name field in a .dxt archive upload to the xiaozhi-mcphub application. Detection involves monitoring for suspicious uploads containing path traversal sequences such as "../" in the manifest.name field within the manifest.json file inside .dxt archives.
Since exploitation requires authentication and uploading a crafted .dxt file, detection can include auditing upload requests to the DXT upload route for unusual or malicious payloads.
Suggested commands or methods to detect this vulnerability include:
- Inspect uploaded .dxt files for manifest.json files containing manifest.name fields with path traversal patterns (e.g., "../").
- Use file system monitoring tools to detect unexpected file creations or moves outside the intended upload directory (data/uploads/dxt).
- Review web server logs or application logs for authenticated upload requests to the DXT upload endpoint that include suspicious filenames or paths.
- Example command to search for path traversal patterns in uploaded manifest.json files (assuming access to upload directory): find data/uploads/dxt -name 'manifest.json' -exec grep -H '\.\./' {} \;
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps focus on preventing exploitation by restricting access and sanitizing inputs.
- Disable DXT uploads for untrusted or low-privileged users to reduce the attack surface.
- Restrict the DXT upload route to administrators or trusted users only.
- Run the service with limited filesystem permissions to prevent writing outside the intended upload directory.
- Implement input validation and sanitization on the manifest.name field to reject absolute paths or path traversal sequences.
- Validate that the final extraction directory remains within the intended upload directory before performing filesystem operations.
- Apply or develop regression tests to detect various path traversal techniques in uploads.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker to perform path traversal during file extraction, potentially overwriting or placing files outside the intended directory. This can lead to high integrity and availability risks by disrupting application data or runtime files.
While the confidentiality impact is low, the ability to manipulate files arbitrarily on the server could indirectly affect compliance with standards like GDPR or HIPAA, which require protection of data integrity and availability.
Specifically, unauthorized modification or disruption of files could lead to non-compliance with regulations mandating secure handling and protection of sensitive data and system integrity.