CVE-2026-7715 Overview
CVE-2026-7715 is a path traversal vulnerability [CWE-22] in the ravenwits/mcp-server-arangodb Model Context Protocol (MCP) server through version 0.4.7. The flaw resides in the arango_backup function defined in src/tools.ts within the MCP Interface component. An authenticated remote attacker can manipulate the outputDir argument to write backup files outside the intended directory. The exploit has been publicly disclosed. The maintainer was notified through an issue report but has not yet responded.
Critical Impact
Authenticated remote callers can direct ArangoDB backup writes to arbitrary filesystem locations, enabling tampering with files outside the expected output directory.
Affected Products
- ravenwits mcp-server-arangodb versions up to and including 0.4.7
- The arango_backup function in src/tools.ts
- The MCP Interface component exposing the backup tool
Discovery Timeline
- 2026-05-04 - CVE-2026-7715 published to NVD
- 2026-05-04 - Last updated in NVD database
Technical Details for CVE-2026-7715
Vulnerability Analysis
The mcp-server-arangodb project provides an MCP server that exposes ArangoDB management tools to MCP clients. The arango_backup tool accepts an outputDir argument that designates where backup artifacts should be written. The implementation does not normalize or validate this path against an allow-list or a fixed base directory.
Because the argument is consumed directly by filesystem operations, an attacker supplying traversal sequences such as ../ or absolute paths can redirect output to locations outside the intended backup directory. The result is unauthorized write access to filesystem paths reachable by the process running the MCP server.
This class of flaw [CWE-22] is amplified in MCP deployments because the server typically runs with developer or service privileges and is invoked by automated AI agents that may pass attacker-influenced parameters without validation.
Root Cause
The root cause is missing input sanitization on the outputDir parameter inside arango_backup. The function trusts client-supplied path data and passes it to backup write operations without canonicalizing the path or confirming that the resolved location remains inside an approved base directory.
Attack Vector
Exploitation requires network access to the MCP server and low-privilege authentication to invoke tool calls. An attacker calls the arango_backup tool and supplies an outputDir containing traversal sequences or an absolute path. The server then writes backup contents to the attacker-chosen location, which can overwrite configuration files, drop files into web-accessible directories, or place artifacts in user-writable startup paths.
The vulnerability mechanism is described in the public GitHub Issue Report and the VulDB Vulnerability Details. No verified exploit code is reproduced here.
Detection Methods for CVE-2026-7715
Indicators of Compromise
- Backup files or ArangoDB dump artifacts written outside the configured backup directory.
- MCP tool-call logs containing arango_backup requests with outputDir values that include ../, ..\, or absolute paths.
- Unexpected file creations in sensitive locations such as web roots, cron directories, or user shell startup files following MCP server activity.
Detection Strategies
- Inspect MCP server request logs for arango_backup invocations and flag any outputDir argument that resolves outside the approved backup root.
- Run filesystem integrity monitoring on directories reachable by the MCP service account, alerting on file writes attributable to the Node.js process hosting mcp-server-arangodb.
- Audit the deployed version of mcp-server-arangodb and compare against 0.4.7 to identify exposed instances.
Monitoring Recommendations
- Centralize MCP server stdout, stderr, and audit logs into a SIEM and create a rule for path traversal patterns in tool arguments.
- Track process file write activity from the MCP server and alert on writes outside the declared backup directory.
- Review authentication events for the MCP transport and correlate low-privileged sessions with backup tool usage.
How to Mitigate CVE-2026-7715
Immediate Actions Required
- Restrict access to the MCP server so only trusted clients can invoke the arango_backup tool.
- Run the MCP server under a dedicated low-privilege user with write access limited to a single backup directory.
- Disable or remove the arango_backup tool registration until a fix is available if the function is not required.
Patch Information
No vendor patch is currently available. The maintainer was notified through the GitHub Issue Report but has not responded. Track the upstream GitHub Repository Overview for fixed releases beyond 0.4.7 and review the VulDB CTI Analysis for additional context.
Workarounds
- Wrap or fork the arango_backup handler to canonicalize outputDir with path.resolve and reject any resolved path outside a fixed backup base directory.
- Enforce a server-side allow-list of permitted backup destinations and ignore any client-supplied path component.
- Apply mandatory access controls such as AppArmor, SELinux, or container filesystem policies that confine the MCP process to a single writable directory.
# Configuration example: confine the MCP server to a dedicated backup path
mkdir -p /var/lib/mcp-arango/backups
chown mcp-arango:mcp-arango /var/lib/mcp-arango/backups
chmod 700 /var/lib/mcp-arango/backups
# Run the server as a non-privileged user with a read-only root filesystem
# and only the backup directory writable
systemd-run --uid=mcp-arango --gid=mcp-arango \
--property=ProtectSystem=strict \
--property=ReadWritePaths=/var/lib/mcp-arango/backups \
node /opt/mcp-server-arangodb/dist/index.js
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
