CVE-2026-15524
Received Received - Intake

Path Traversal in alioshr memory-bank-mcp

Vulnerability report for CVE-2026-15524, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A security vulnerability has been detected in alioshr memory-bank-mcp up to 0.2.1/3.1. This affects an unknown part of the file list-project-files-validation-factory.ts. Such manipulation of the argument projectName leads to path traversal. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
alioshr memory-bank-mcp to 0.2.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

Immediate mitigation involves adding proper validation to the projectName argument in the list_project_files tool to prevent path traversal.

Specifically, applying a PathSecurityValidator to the projectName argument, similar to other tools like read, write, and update, will block attempts to traverse directories using '../' sequences.

Additionally, implementing an optional defense layer at the filesystem boundary to enforce canonical path checks can provide extra protection.

Until a patch is applied, restrict local access to the memory-bank-mcp server to trusted users only, as local access is required to exploit this vulnerability.

Executive Summary

This vulnerability is a path traversal issue in the memory-bank-mcp project, specifically in the list_project_files tool. It occurs because the projectName argument does not have proper validation, allowing an attacker with local access to manipulate the argument with sequences like '../' to traverse directories outside the intended memory bank root directory.

Unlike other tools in the project that enforce path traversal prevention using a PathSecurityValidator, this tool lacks such validation, enabling directory enumeration beyond the project boundaries.

Impact Analysis

The vulnerability allows an attacker with local access to enumerate directories outside the intended MEMORY_BANK_ROOT directory by exploiting the lack of validation in the list_project_files tool.

While it does not allow arbitrary file reading or writing, it bypasses project isolation boundaries and can reveal the structure and contents of directories that should be inaccessible, potentially exposing sensitive file names or directory layouts.

Detection Guidance

This vulnerability can be detected by attempting to exploit the path traversal issue in the list_project_files tool of the memory-bank-mcp server. Specifically, you can test if the projectName argument accepts arbitrary '../' sequences that allow directory enumeration outside the configured MEMORY_BANK_ROOT directory.

A proof-of-concept script exists that demonstrates listing files in directories outside MEMORY_BANK_ROOT by abusing this path traversal vulnerability.

To detect this on your system, you can try invoking the list_project_files command or API with crafted projectName arguments containing '../' sequences and observe if files outside the intended directory are listed.

  • Use commands or scripts that call the list_project_files tool with projectName values like '../../etc' or similar to check if directory traversal is possible.
  • Monitor logs for unusual directory enumeration requests or unexpected file listings outside the MEMORY_BANK_ROOT.
Compliance Impact

The vulnerability allows path traversal leading to directory enumeration outside the intended project root directory, which could expose file structure information.

However, it does not grant arbitrary file read or write access, limiting the scope of data exposure.

Since the vulnerability requires local access and only allows directory listing without direct access to sensitive file contents, the direct impact on compliance with standards like GDPR or HIPAA is limited but could still pose a risk if sensitive directory structures or metadata are exposed.

Organizations relying on this software should consider this vulnerability as a potential information disclosure risk that might affect compliance depending on the sensitivity of the exposed directory information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15524. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart