Executive Summary

CVE-2026-10264 is a path traversal vulnerability in the whatsapp-mcp application, specifically in the SendMessageRequest function of the Send API Endpoint. The vulnerability arises because the mediaPath argument, which comes from user input, is not properly validated or sanitized. This allows an attacker to manipulate the mediaPath parameter to access files outside the intended directory by using path traversal sequences like "../".

This means an attacker can craft a request to read arbitrary files on the system that the application has access to, potentially exposing sensitive information.

The issue was fixed by adding validation functions to ensure media paths are absolute and valid files, sanitizing chat JIDs to reject path traversal sequences, and restricting the REST API to listen only on the local loopback interface to prevent unauthorized network access.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows path traversal attacks that could enable unauthorized reading of arbitrary files on the system where the whatsapp-mcp application is running.

Such unauthorized access to potentially sensitive files could lead to exposure of personal or protected data, which may impact compliance with data protection regulations like GDPR or HIPAA.

However, the provided information does not explicitly discuss the direct impact on compliance with these standards or any regulatory consequences.

The recommended patch mitigates the vulnerability by validating and sanitizing media paths and restricting API access, which helps reduce the risk of unauthorized data exposure.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to read arbitrary files on the system where the whatsapp-mcp application is running. Since the mediaPath parameter is not properly validated, an attacker can exploit this to access sensitive files outside the intended media directory.

Such unauthorized file access could lead to exposure of confidential data, system information, or other sensitive content that the application user or system holds.

Additionally, the REST API was originally exposed on all network interfaces, which could allow unauthenticated attackers on the local network to exploit this vulnerability remotely. The patch restricts the API to the local loopback interface to mitigate this risk.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the /api/send endpoint that include a media_path parameter containing path traversal sequences such as ../ or ../../../. An example detection method is to look for such patterns in HTTP request logs.

A proof of concept curl command demonstrating the exploit is available, which can be adapted to test if the system is vulnerable.

• Use a command like: curl -X POST http://localhost:PORT/api/send -d '{"media_path":"../../../etc/passwd"}' -H 'Content-Type: application/json' to test if path traversal is possible.
• Inspect network traffic or logs for POST requests to /api/send with media_path parameters containing ../ sequences.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to apply the patch identified by commit 6657cdceadd361e8fbe824afe9d00b4504009a5d which includes validation of media paths to block path traversal attacks.

• Update the REST API binding to 127.0.0.1 instead of 0.0.0.0 to prevent unauthenticated access from other hosts on the local network.
• Implement or ensure the presence of functions like validateMediaPath() and sanitizeChatJIDForPath() to validate and sanitize inputs related to media paths and chat JIDs.
• Pin or update dependencies such as h11 and urllib3 to secure versions to mitigate related vulnerabilities.

If immediate patching is not possible, restrict network access to the service to trusted hosts only and monitor for suspicious activity.

Useful 0 Not Useful 0