CVE-2026-7811 Overview
CVE-2026-7811 is a path traversal vulnerability in the 54yyyu code-mcp project, an MCP (Model Context Protocol) server implementation. The flaw resides in the is_safe_path function within src/code_mcp/server.py, part of the MCP File Handler component. Attackers can manipulate path inputs to escape the intended directory boundary and access files outside the allowed scope. The vulnerability is exploitable remotely without authentication or user interaction. The project follows a rolling release model, so specific affected and fixed version numbers are not published. The maintainer was notified through an issue report but has not yet responded, and a public exploit disclosure exists.
Critical Impact
Remote attackers can read or write files outside the intended working directory by abusing is_safe_path validation in the MCP File Handler, exposing source code, configuration, and secrets accessible to the MCP server process.
Affected Products
- 54yyyu code-mcp repository up to commit 4cfc4643541a110c906d93635b391bf7e357f4a8
- MCP File Handler component in src/code_mcp/server.py
- Rolling-release distributions of code-mcp (no discrete versioning)
Discovery Timeline
- 2026-05-05 - CVE-2026-7811 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7811
Vulnerability Analysis
The vulnerability is a path traversal weakness classified under [CWE-22]. The is_safe_path function in src/code_mcp/server.py is intended to validate that file operations remain within an allowed root directory. The validation logic fails to fully canonicalize or constrain user-supplied paths before file access. As a result, attackers can submit crafted path strings containing traversal sequences such as ../ or absolute paths to reach files outside the intended sandbox.
Because code-mcp exposes file operations over the Model Context Protocol, an attacker who can reach the MCP endpoint can leverage standard file-handling tool calls to trigger the flaw. The exploit has been publicly disclosed, increasing the likelihood of opportunistic abuse against exposed instances.
Root Cause
The root cause is insufficient path normalization and boundary checking inside is_safe_path. Safe-path checks that rely on string comparison rather than resolved canonical paths are bypassable through symbolic links, mixed separators, or relative traversal segments. The function returns a permissive result for paths that resolve outside the intended base directory, allowing downstream file operations to act on arbitrary locations on the host filesystem.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker invokes an MCP file-handling operation with a path argument containing traversal sequences. The vulnerable validator approves the path, and the MCP server reads or manipulates files outside its working directory. Refer to the GitHub Issue #4 Discussion and VulDB Vulnerability #361071 for additional technical context.
No verified exploit code is reproduced here. The vulnerability mechanism is described in prose only, consistent with the public disclosure in the linked references.
Detection Methods for CVE-2026-7811
Indicators of Compromise
- MCP request logs containing path arguments with ../, ..\, or URL-encoded traversal sequences such as %2e%2e%2f.
- File access by the code-mcp process to paths outside its configured project root, including /etc/, user home directories, or SSH key locations.
- Unexpected reads of sensitive files like .env, id_rsa, or config.json correlated with MCP tool invocations.
Detection Strategies
- Instrument the MCP server to log every resolved absolute path passed to file read and write handlers and alert on paths outside the project root.
- Apply static analysis to src/code_mcp/server.py to flag uses of is_safe_path that do not call os.path.realpath before comparison.
- Hunt for process-level file access anomalies originating from the Python interpreter hosting code-mcp.
Monitoring Recommendations
- Forward code-mcp application logs and host filesystem audit events to a centralized analytics pipeline for correlation.
- Monitor outbound responses from the MCP server for unexpectedly large file payloads that may indicate exfiltration.
- Track network connections to the MCP listener and alert on access from non-allowlisted clients.
How to Mitigate CVE-2026-7811
Immediate Actions Required
- Restrict network exposure of code-mcp to trusted local clients only and place it behind authenticated transport.
- Run the MCP server under a dedicated low-privilege user account confined to the intended project directory.
- Audit recent MCP request logs for traversal patterns and suspicious file access.
Patch Information
No official patch has been released. The maintainer of 54yyyu/code-mcp was notified through GitHub Issue #4 but has not yet responded. Because the project uses rolling releases, users should track the GitHub Code MCP Repository for upstream commits that harden is_safe_path and pin to a known-good commit once available.
Workarounds
- Replace the is_safe_path implementation locally so it resolves both the candidate path and the base directory with os.path.realpath before performing a commonpath containment check.
- Reject any input path containing .., null bytes, or absolute path prefixes prior to filesystem operations.
- Operate code-mcp inside a container or chroot with read-only mounts limited to the intended workspace.
# Configuration example: run code-mcp with filesystem confinement
useradd -r -s /usr/sbin/nologin codemcp
install -d -o codemcp -g codemcp -m 0750 /srv/code-mcp/workspace
systemd-run --uid=codemcp --gid=codemcp \
--property=ProtectSystem=strict \
--property=ProtectHome=yes \
--property=ReadWritePaths=/srv/code-mcp/workspace \
--property=PrivateTmp=yes \
/usr/bin/python -m code_mcp.server --root /srv/code-mcp/workspace
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
