Skip to main content

mcp-game-asset-gen EUVDEUVD-2026-26718

| CVE-2026-7594 MEDIUM
Path Traversal (CWE-22)
2026-05-01 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
May 01, 2026 - 21:22 NVD
HIGH MEDIUM
CVSS changed
May 01, 2026 - 21:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
PoC Detected
May 01, 2026 - 21:16 vuln.today
Public exploit code
Analysis Generated
May 01, 2026 - 21:15 vuln.today
EUVD ID Assigned
May 01, 2026 - 21:01 euvd
EUVD-2026-26718
Analysis Generated
May 01, 2026 - 21:01 vuln.today
CVE Published
May 01, 2026 - 20:30 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability was detected in Flux159 mcp-game-asset-gen 0.1.0. Affected is the function image_to_3d_async of the file src/index.ts of the component MCP Interface. The manipulation of the argument statusFile results in path traversal. The attack can be executed remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Path traversal in Flux159 mcp-game-asset-gen 0.1.0 allows remote unauthenticated attackers to read, write, and potentially delete arbitrary files via manipulation of the statusFile parameter in the image_to_3d_async function. The vulnerability is confirmed actively exploited with publicly available exploit code (GitHub issue #3). CVSS 7.3 reflects network-accessible attack with low confidentiality, integrity, and availability impact. Despite early responsible disclosure via issue report, the maintainer has not responded, leaving the open-source project unpatched.

Technical ContextAI

This vulnerability affects mcp-game-asset-gen version 0.1.0, a game asset generation tool using the Model Context Protocol (MCP) interface. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), occurring in the image_to_3d_async function within src/index.ts. Path traversal flaws arise when user-controlled input (statusFile argument) is used to construct file paths without proper validation or sanitization. An attacker can inject directory traversal sequences (../, absolute paths, or symbolic link references) to escape intended directory restrictions, accessing or modifying files outside the application's working directory. The MCP Interface component suggests this may be part of a larger model-context protocol implementation for game asset workflows, where status tracking files are written based on user input.

RemediationAI

No vendor-released patch is available at time of analysis - the project maintainer has not responded to the disclosure (GitHub issue #3). Organizations using mcp-game-asset-gen 0.1.0 should immediately implement compensating controls: (1) Input validation - if the application must continue running, wrap the image_to_3d_async function with strict validation to reject statusFile arguments containing directory traversal sequences (../, .\, absolute paths starting with / or drive letters, null bytes). Regular expression whitelist approach: allow only alphanumeric characters, hyphens, underscores, and a single extension. Trade-off: may break legitimate use cases expecting nested directory structures. (2) Filesystem sandboxing - run the application in a containerized environment (Docker, chroot jail) with minimal filesystem access, ensuring path traversal cannot reach sensitive system directories. Trade-off: requires infrastructure changes and may impact integration with other tools. (3) Network access control - if the MCP interface does not require public internet exposure, restrict access via firewall rules or VPN to trusted internal networks only. Trade-off: eliminates remote attack vector (AV:N) but does not address insider threat. (4) Monitor for alternatives - evaluate migrating to maintained forks or alternative game asset generation tools with active security support. Long-term, continued use of unpatched software with public exploits is untenable for production environments.

Share

EUVD-2026-26718 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy