CVE-2026-7400 MEDIUM

CVE-2026-7400: geekgod382 filesystem-mcp-server read_file_tool/write_file_tool server.py is_path_allowed path traversal

Vendor Geekgod382
Product filesystem-mcp-server
Weakness CWE-22 · Path traversal
Published April 29, 2026
Last update April 29, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A security vulnerability has been detected in geekgod382 filesystem-mcp-server 1.0.0. This issue affects the function is_path_allowed of the file server.py of the component read_file_tool/write_file_tool. Such manipulation leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 1.1.0 is capable of addressing this issue. The name of the patch is 45364545fc60dc80aadcd4379f08042d3d3d292e. Upgrading the affected component is advised.

Key dates

02Disclosure timeline

April 29, 2026 CVE published
April 29, 2026 Record updated