CVE-2026-14699
Received Received - Intake

Symlink Following in markdownify-mcp

Vulnerability report for CVE-2026-14699, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A weakness has been identified in zcaceres markdownify-mcp up to 1.1.0. The affected element is the function assertPathAllowed of the file src/Markdownify.ts. Executing a manipulation can lead to symlink following. The attack can only be executed locally. The pull request to fix this issue awaits acceptance.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
zcaceres markdownify-mcp to 1.1.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows local attackers to bypass path allowlist checks via symlink manipulation, potentially granting unauthorized access to files outside intended directories.

Such unauthorized file access could lead to exposure of sensitive or protected data, which may impact compliance with data protection regulations like GDPR or HIPAA if the affected files contain personal or health information.

However, the vulnerability is limited to local attack vectors and requires local access, which may reduce the risk in some deployment scenarios.

No explicit information is provided about direct compliance impacts or regulatory considerations in the provided resources.

Executive Summary

The vulnerability in markdownify-mcp up to version 1.1.0 involves a flaw in the function assertPathAllowed, which is responsible for checking if a file path is allowed. The issue arises because the path authorization relies on lexical path normalization and string comparison (using startsWith()) instead of canonicalizing paths with realpath. This allows an attacker to create symbolic links (symlinks) that point to files outside the allowed directory but appear to be inside it, bypassing the path allowlist.

As a result, the server follows these symlinks and grants unauthorized access to files outside the intended directory boundary. The attack can only be executed locally.

Impact Analysis

This vulnerability can lead to unauthorized file access outside the allowed directory in deployments where the allowed directory is writable or influenced by untrusted users. An attacker with local access can exploit symlink following to read files that should be restricted, potentially exposing sensitive information.

Detection Guidance

This vulnerability involves bypassing path allowlist checks via symlinked files, which can only be exploited locally. Detection involves identifying symlinks that point outside of allowed directories or checking for unauthorized file accesses through symlinks.

You can use commands to find symlinks within the allowed directories and verify if they point outside the intended boundaries. For example, on a Unix-like system, you can run:

  • find /path/to/allowed/directory -type l -exec ls -l {} \;

This command lists all symbolic links and their targets inside the allowed directory. You should verify if any symlink points outside the allowed directory.

Additionally, monitoring local file access logs or using system auditing tools to detect unexpected file reads via symlinks may help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting local user permissions to prevent untrusted users from creating symlinks in the allowed directories.

Avoid allowing writable or user-influenced directories as allowed roots in the markdownify-mcp configuration.

Apply the fix from the pending pull request which canonicalizes paths using realpath and replaces prefix-based checks with path-relative boundary checks to prevent symlink escapes.

If upgrading is not immediately possible, consider monitoring and restricting local access to the vulnerable function or service.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14699. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart