Skip to main content

processing-claude-mcp-bridge EUVDEUVD-2026-25972

| CVE-2026-7216 MEDIUM
Path Traversal (CWE-22)
2026-04-28 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Severity Changed
Apr 28, 2026 - 03:22 NVD
HIGH MEDIUM
CVSS changed
Apr 28, 2026 - 03:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Apr 28, 2026 - 03:16 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 03:00 euvd
EUVD-2026-25972
Analysis Generated
Apr 28, 2026 - 03:00 vuln.today
CVE Published
Apr 28, 2026 - 02:15 nvd
MEDIUM 5.5

DescriptionCVE.org

A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component create_sketch Tool. This manipulation of the argument sketch_name causes path traversal. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Path traversal in processing-claude-mcp-bridge's create_sketch tool allows remote unauthenticated attackers to read, write, or delete arbitrary files on the server by manipulating the sketch_name parameter in processing_server.py. Public exploit code exists via GitHub issue #1, enabling straightforward attacks against exposed instances. EPSS data not available, but CVSS 7.3 (High) with network vector and no authentication requirements indicates significant risk for internet-facing deployments. Project maintainer has not responded to vulnerability disclosure, leaving no vendor-confirmed patch timeline.

Technical ContextAI

This vulnerability affects the processing-claude-mcp-bridge project (CPE: cpe:2.3:a:donchelo:processing-claude-mcp-bridge), which appears to bridge Processing (creative coding framework) with Claude AI via the Model Context Protocol. The flaw is a classic CWE-22 path traversal weakness in the create_sketch tool's handling of user-supplied sketch names within processing_server.py. Insufficient input sanitization allows an attacker to inject directory traversal sequences (../ patterns) into the sketch_name argument, escaping intended directories to access arbitrary filesystem locations. The vulnerable code accepts network requests without authentication (AV:N/PR:N), processes attacker-controlled filenames, and performs file operations with the server's privileges. This architectural pattern-combining network-exposed functionality with file system operations on unsanitized user input-is a common source of path traversal vulnerabilities in web-based tooling and API endpoints.

RemediationAI

No vendor-released patch identified at time of analysis-the maintainer has not responded to the vulnerability disclosure. Users must implement compensating controls immediately: First, restrict network access to processing_server.py by binding only to localhost (127.0.0.1) if the service is used purely for local development, eliminating remote attack vectors entirely. Second, implement network-level access controls via firewall rules or VPN requirements to limit exposure to trusted IP ranges. Third, apply input validation at the application layer if modifying the code locally-whitelist allowed characters in sketch_name parameters (alphanumeric, hyphen, underscore only) and reject any input containing directory traversal sequences (../, .., absolute paths). Note that restricting to localhost may break legitimate remote usage scenarios if the bridge is designed for network accessibility. Monitor the GitHub repository (https://github.com/donchelo/processing-claude-mcp-bridge/) and VulDB entry (https://vuldb.com/vuln/359816) for maintainer response or community-contributed patches. Consider forking the project to apply security fixes independently if the project remains unmaintained, though this increases long-term maintenance burden.

Share

EUVD-2026-25972 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy