◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-04-30

Path Traversal Vulnerabilities Disclosed in Multiple MCP Server Implementations

VulnerabilityMedium impactGlobalCVE-2026-7384, CVE-2026-7386, CVE-2026-7396, CVE-2026-7397
Technical description
Four high and medium-severity path traversal vulnerabilities were disclosed in Model Context Protocol (MCP) server implementations used by AI agents. CVE-2026-7384 (CVSS 7.3) affects the search_papers function in ezequiroga/mcp-bases, allowing topic parameter manipulation. CVE-2026-7386 (CVSS 7.3) affects fatbobman/mail-mcp-bridge, exploitable via the message_ids argument. CVE-2026-7396 (CVSS 5.3) impacts NousResearch/hermes-agent WeChat Work platform adapter. CVE-2026-7397 (CVSS 4.4) is a symlink-following flaw in NousResearch/hermes-agent file tools requiring local access. All four were published to NVD on April 29, 2026.
Attack vector
Attackers manipulate function arguments (topic, message_ids, file paths) passed to MCP server tools to traverse outside intended directories. For CVE-2026-7384 and CVE-2026-7386, remote exploitation is possible by sending crafted requests to the MCP server. For CVE-2026-7397, local access is required to exploit symlink-following behavior. Successful exploitation enables reading or writing arbitrary files on the host system, potentially compromising agent memory, configuration, or credentials.
Affected systems
AI agent deployments using the affected MCP server implementations: ezequiroga/mcp-bases (research paper search), fatbobman/mail-mcp-bridge (email integration), and NousResearch/hermes-agent (multi-platform agent framework). These are community-contributed MCP servers, typically used in experimental or custom agentic AI workflows rather than enterprise-scale production.
Mitigation
Check GitHub repositories for patches or security advisories from the respective maintainers. For hermes-agent, upgrade to a version later than 0.8.0 if available. As an interim control, implement input validation wrappers around MCP tool calls to sanitize path-related arguments before they reach the server. Restrict MCP server network exposure and run servers with minimal filesystem permissions. Organizations should audit their MCP server inventory and prioritize patching servers handling sensitive data.
Sources
NVD — CVE-2026-7384NVD — CVE-2026-7386NVD — CVE-2026-7396NVD — CVE-2026-7397
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →