Skip to main content

scaffold-mcp CVE-2026-7237

| EUVDEUVD-2026-26008 MEDIUM
Path Traversal (CWE-22)
2026-04-28 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

9
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Severity Changed
Apr 28, 2026 - 08:22 NVD
HIGH MEDIUM
CVSS changed
Apr 28, 2026 - 08:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Apr 28, 2026 - 08:01 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 07:30 euvd
EUVD-2026-26008
Analysis Generated
Apr 28, 2026 - 07:30 vuln.today
Patch released
Apr 28, 2026 - 07:30 nvd
Patch available
CVE Published
Apr 28, 2026 - 06:45 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability was detected in AgiFlow scaffold-mcp up to 1.0.27. Affected by this issue is some unknown functionality of the file packages/scaffold-mcp/src/server/index.ts of the component write-to-file Tool. The manipulation of the argument file_path results in path traversal. The attack may be launched remotely. The exploit is now public and may be used. Upgrading to version 1.1.0 can resolve this issue. The patch is identified as c4d23592ae5fb59cfeefc4641e6826f8ac89b9c6. You should upgrade the affected component.

AnalysisAI

Path traversal in AgiFlow scaffold-mcp's write-to-file tool allows remote unauthenticated attackers to read, write, or delete arbitrary files on the server by manipulating the file_path parameter. Versions up to 1.0.27 are affected. Public exploit code exists (GitHub issue #88), enabling attackers to bypass directory restrictions and access sensitive files or overwrite critical system files. CVSS 7.3 (High) with network attack vector and no authentication required. Vendor-released patch available in version 1.1.0 (commit c4d23592).

Technical ContextAI

This vulnerability affects AgiFlow scaffold-mcp, a Model Context Protocol (MCP) scaffolding tool for AI code generation workflows. The flaw resides in packages/scaffold-mcp/src/server/index.ts within the write-to-file tool implementation. CWE-22 (Path Traversal) occurs when user-supplied file_path input is not properly validated or sanitized before file system operations. Attackers can inject directory traversal sequences (e.g., '../../../etc/passwd' or absolute paths) to escape intended working directories. The CPE identifier cpe:2.3:a:agiflow:scaffold-mcp indicates this is an application-level vulnerability in the AgiFlow vendor's scaffold-mcp component. MCP tools typically run with the privileges of the host process, making unrestricted file access particularly dangerous in development or CI/CD environments where these scaffolding tools operate.

RemediationAI

Immediately upgrade AgiFlow scaffold-mcp to version 1.1.0 or later via package manager (npm update @agiflowai/aicode-toolkit@1.1.0 or equivalent). The patched version implements input validation for file_path parameters in the write-to-file tool, as detailed in pull request #89 (https://github.com/AgiFlow/aicode-toolkit/pull/89) and commit c4d23592ae5fb59cfeefc4641e6826f8ac89b9c6. If immediate upgrade is not feasible, implement these compensating controls: (1) Disable or remove the write-to-file tool from scaffold-mcp configurations if not essential for operations - this eliminates the attack surface but breaks file generation workflows; (2) Run scaffold-mcp processes in sandboxed containers or chroot jails with minimal file system access, limiting traversal impact to isolated directories - adds operational complexity and may break legitimate path references; (3) Deploy application firewall or proxy to inspect and reject requests containing path traversal patterns (../, absolute paths) in file_path parameters - may produce false positives for legitimate nested directory operations. Note these workarounds provide defense-in-depth only; patching is the definitive solution. Verify patch application by checking package version (npm list @agiflowai/aicode-toolkit) and testing file_path validation behavior.

Share

CVE-2026-7237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy