Skip to main content

ruvnet sublinear-time-solver CVE-2026-7645

| EUVDEUVD-2026-26799 MEDIUM
Path Traversal (CWE-22)
2026-05-02 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
CVSS changed
May 02, 2026 - 16:22 NVD
6.5 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
May 02, 2026 - 16:16 vuln.today
Public exploit code
Analysis Generated
May 02, 2026 - 16:00 vuln.today
EUVD ID Assigned
May 02, 2026 - 15:30 euvd
EUVD-2026-26799
Analysis Generated
May 02, 2026 - 15:30 vuln.today
CVE Published
May 02, 2026 - 15:15 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability was found in ruvnet sublinear-time-solver 1.5.0. Affected by this vulnerability is the function export_state of the file src/consciousness-explorer/mcp/server.js of the component MCP Interface. The manipulation results in path traversal. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Path traversal in the MCP Interface export_state function of ruvnet sublinear-time-solver 1.5.0 allows remote unauthenticated attackers to manipulate file paths, resulting in information disclosure and integrity compromise. Public exploit code is available and the vulnerability has CVSS 6.5 (medium severity) with proof-of-concept publicly disclosed, though the vendor has not yet responded to early notification.

Technical ContextAI

The vulnerability exists in the export_state function within src/consciousness-explorer/mcp/server.js of the MCP (Model Context Protocol) Interface component. Path traversal (CWE-22) occurs when user-supplied input is used to construct file paths without proper validation or sanitization, allowing attackers to traverse directory structures using sequences like '../' to access or modify files outside the intended directory. The MCP server interface likely processes export requests over network protocols, enabling remote exploitation of this path manipulation flaw.

RemediationAI

No vendor-released patch has been identified at time of analysis; the vendor has not responded to early notification despite issue report at https://github.com/ruvnet/sublinear-time-solver/issues/19. Immediate mitigation requires applying strict input validation in the export_state function to reject or sanitize path traversal sequences (../, ..\ and encoded variants like %2e%2e%2f). Implement a whitelist of allowed export directories and use path canonicalization to resolve absolute paths before file operations. Restrict the process running the MCP server to a dedicated, unprivileged user account with minimal filesystem permissions. As a temporary compensating control, disable the export functionality if not critical to operations, or wrap the MCP server with a reverse proxy that validates request paths before forwarding. Monitor the GitHub issue tracker and VulDB for vendor updates, and consider forking the repository to apply patches locally if the vendor does not respond within a defined timeframe.

Share

CVE-2026-7645 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy