CVE-2026-7738 Overview
CVE-2026-7738 is a path traversal vulnerability [CWE-22] in puchunjie doc-tools-mcp version 1.0.18. The flaw resides in the create_document and open_document functions inside src/mcp-server.ts, part of the MCP Interface component. Manipulating the filePath argument allows an attacker to traverse outside the intended directory. The attack is launched remotely and requires low privileges. A public exploit has been released, and the project maintainers have not responded to the issue report.
Critical Impact
Remote attackers with low-privileged access to the MCP interface can read or write files outside the intended document directory by supplying crafted filePath values.
Affected Products
- puchunjie doc-tools-mcp 1.0.18
- Component: MCP Interface (src/mcp-server.ts)
- Functions: create_document and open_document
Discovery Timeline
- 2026-05-04 - CVE-2026-7738 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7738
Vulnerability Analysis
The vulnerability stems from insufficient validation of the filePath argument passed to the create_document and open_document functions in src/mcp-server.ts. The MCP (Model Context Protocol) interface accepts file path inputs and passes them to filesystem operations without normalizing or restricting traversal sequences such as ../. An attacker can supply a path that resolves outside the intended document directory.
Because the MCP server is reachable over the network, exploitation does not require local access. The attacker only needs the low-privileged ability to invoke the affected MCP tool methods. Successful exploitation allows arbitrary file read through open_document and arbitrary file creation or overwrite through create_document.
Root Cause
The root cause is missing path canonicalization and absent allowlist enforcement against a base directory. The functions trust caller-supplied filePath values and resolve them directly through Node.js filesystem APIs. Sequences such as ../../etc/passwd or absolute paths bypass any intended scoping.
Attack Vector
An attacker invokes the MCP tool functions over the network, supplying a crafted filePath parameter containing directory traversal sequences. The server resolves the path relative to its working directory and performs the requested read or write. No verified exploit code has been published for inclusion here. See the GitHub Issue #38 and VulDB #360913 for technical details.
Detection Methods for CVE-2026-7738
Indicators of Compromise
- MCP request payloads to create_document or open_document containing ../, ..\, or absolute path prefixes in the filePath argument.
- File creation or modification events outside the configured document working directory of the doc-tools-mcp process.
- Unexpected reads of sensitive files such as /etc/passwd, SSH keys, or configuration files by the Node.js process running doc-tools-mcp.
Detection Strategies
- Inspect MCP server logs for filePath arguments containing traversal sequences or absolute paths and alert on matches.
- Monitor process-level filesystem telemetry for the doc-tools-mcp Node.js process accessing paths outside its intended document directory.
- Correlate network connections to the MCP listener port with subsequent anomalous file operations on the host.
Monitoring Recommendations
- Enable verbose logging of all MCP tool invocations including the full argument list for create_document and open_document.
- Apply file integrity monitoring to system directories that the MCP server should never touch.
- Forward host and application logs to a centralized analytics platform to enable retroactive hunting once new indicators are released.
How to Mitigate CVE-2026-7738
Immediate Actions Required
- Restrict network exposure of the doc-tools-mcp server so it is reachable only from trusted local clients or authenticated MCP hosts.
- Run the MCP server under a dedicated low-privilege user account with filesystem access limited to the intended document directory.
- Audit the host for unauthorized files written through the affected functions and review recent access to sensitive files.
Patch Information
No vendor patch is available at the time of publication. The project was notified through an issue report but has not responded. Track the project repository and GitHub Issue #4 for fix status.
Workarounds
- Apply a local patch in src/mcp-server.ts that resolves the supplied filePath with path.resolve and rejects any result that does not begin with an approved base directory.
- Reject any filePath argument containing .., null bytes, or absolute path prefixes before invoking filesystem APIs.
- Place the MCP server inside a container or sandbox with a read-only root filesystem and a single bind-mounted document directory.
# Configuration example: run doc-tools-mcp in a constrained container
docker run --rm \
--read-only \
--user 1000:1000 \
--network none \
-v /srv/docs:/app/docs:rw \
-p 127.0.0.1:3000:3000 \
doc-tools-mcp:1.0.18
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
