Skip to main content

augments-mcp-server CVE-2026-15526

| EUVDEUVD-2026-43269 LOW
Path Traversal (CWE-22)
2026-07-13 VulDB GHSA-v62x-f943-965f
1.9
CVSS 4.0 · Vendor: VulDB

Severity by source

Vendor (VulDB) PRIMARY
1.9 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.3 LOW

Local-only path traversal with low-privilege requirement and limited read-only confidentiality impact; no integrity, availability, or scope change applies.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 13, 2026 - 04:29 vuln.today
Severity Changed
Jul 13, 2026 - 04:22 NVD
MEDIUM LOW
CVSS changed
Jul 13, 2026 - 04:22 NVD
4.8 (MEDIUM) 1.9 (LOW)

DescriptionCVE.org

A flaw has been found in augmnt augments-mcp-server 7.1.0. This issue affects the function scanProjectDeps of the file src/tools/v4/scan-project-deps.ts of the component scan_project_deps. Executing a manipulation of the argument packageJsonPath can lead to path traversal. The attack can only be executed locally. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Path traversal in augmnt augments-mcp-server 7.1.0 allows a local low-privileged attacker to read arbitrary files outside the intended project directory by manipulating the packageJsonPath argument passed to the scanProjectDeps function. The vulnerability is limited to confidentiality impact (VC:L) with no integrity or availability effect, and a proof-of-concept has been publicly disclosed via a GitHub issue. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local low-privilege access
Delivery
Identify running augments-mcp-server process
Exploit
Invoke scan_project_deps tool with traversal path
Execution
Server reads file outside project root
Impact
Exfiltrate sensitive local file contents

Vulnerability AssessmentAI

Exploitation Exploitation requires local access to the machine running augments-mcp-server and the ability to invoke the scan_project_deps MCP tool with a manipulated packageJsonPath argument - this corresponds to at minimum a low-privileged local account (PR:L, AV:L per CVSS 4.0). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The overall real-world risk is low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged local user or malicious script running on the same workstation as an active augments-mcp-server instance invokes the scan_project_deps MCP tool with a crafted packageJsonPath value such as '../../../../etc/shadow' or a path pointing to SSH private keys. The server processes the unsanitized path and returns the contents of the target file, disclosing sensitive data accessible to the server process's user. …
Remediation No vendor-released patch has been identified at time of analysis - the project was informed via responsible disclosure but has not responded. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15526 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy