Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A security vulnerability has been detected in edvardlindelof notes-mcp up to 0.1.4. This affects an unknown function of the file notes_mcp.py. The manipulation of the argument root_dir/path leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Path traversal in edvardlindelof notes-mcp up to version 0.1.4 allows remote unauthenticated attackers to read or manipulate files outside the intended directory by manipulating the root_dir or path arguments in notes_mcp.py. The vulnerability has a publicly available exploit and a CVSS score of 6.9, but the vendor has not responded to the early disclosure through issue tracking.
Technical ContextAI
notes-mcp is a Python-based Model Context Protocol (MCP) server implementation that manages note files. The vulnerability exists in notes_mcp.py where user-supplied arguments controlling directory traversal (root_dir and path parameters) are not properly validated before file operations. This is a classic CWE-22 path traversal flaw where insufficient input sanitization allows attackers to use path sequences (such as ../ or absolute paths) to escape the intended base directory and access arbitrary files on the system. The vulnerability operates at the application layer where file I/O operations accept unsanitized path inputs without canonical path resolution or whitelist validation.
RemediationAI
No vendor-released patch identified at time of analysis. Immediately upgrade to a version released after 0.1.4 if available, or consult the GitHub repository at https://github.com/edvardlindelof/notes-mcp/ for security updates. As a compensating control, implement strict input validation on all root_dir and path parameters before file operations by using canonical path resolution (e.g., Python's os.path.realpath() or pathlib.Path.resolve()) and verifying that resolved paths remain within the intended base directory. Additional mitigations include running notes-mcp with minimal file system permissions and restricting network access to the service to trusted clients only using firewall rules or network segmentation. If the service must accept remote connections, implement a WAF or proxy layer that sanitizes path parameters and blocks sequences containing ../ or absolute path prefixes.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25965