Skip to main content

8nite metatrader-4-mcp EUVDEUVD-2026-26777

| CVE-2026-7627 LOW
Path Traversal (CWE-22)
2026-05-02 VulDB
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Generated
May 02, 2026 - 11:30 vuln.today
Severity Changed
May 02, 2026 - 11:22 NVD
MEDIUM LOW
CVSS changed
May 02, 2026 - 11:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
PoC Detected
May 02, 2026 - 11:15 vuln.today
Public exploit code
EUVD ID Assigned
May 02, 2026 - 11:15 euvd
EUVD-2026-26777
Analysis Generated
May 02, 2026 - 11:15 vuln.today
CVE Published
May 02, 2026 - 11:00 nvd
LOW 2.1

DescriptionCVE.org

A security vulnerability has been detected in 8nite metatrader-4-mcp 1.0.0. This vulnerability affects the function CallToolRequestSchema of the file src/index.ts of the component sync_ea_from_file. Such manipulation of the argument ea_name leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Path traversal in 8nite metatrader-4-mcp 1.0.0 allows authenticated remote attackers to access arbitrary files via manipulation of the ea_name argument in the CallToolRequestSchema function of src/index.ts. The vulnerability affects the sync_ea_from_file component, has publicly available exploit code, and impacts confidentiality with a CVSS score of 2.1. The vendor has not responded to early disclosure notification.

Technical ContextAI

The vulnerability exists in the CallToolRequestSchema function within src/index.ts, which processes the ea_name parameter in the sync_ea_from_file component without proper input validation or path normalization. Path traversal (CWE-22) occurs when user-supplied input containing directory traversal sequences (e.g., ../) is concatenated directly into file system paths without sanitization, allowing attackers to break out of intended directory boundaries. This is a classic file system access control bypass in Node.js/TypeScript applications where string inputs are used in fs module calls without path canonicalization or allowlist validation. The CPE indicates this affects all versions of the 8nite metatrader-4-mcp package, with version 1.0.0 explicitly confirmed.

RemediationAI

No vendor-released patch has been identified at time of analysis; the project maintainers have not responded to early disclosure. Immediate mitigation requires input validation and sanitization of the ea_name parameter: implement strict allowlist validation to accept only expected expert advisor filenames without path traversal sequences, reject any input containing ../ or absolute paths, and use Node.js path.resolve() and path.relative() to canonicalize paths and verify they remain within the intended directory before file system operations. As a compensating control, run the metatrader-4-mcp service with minimal file system permissions - restrict the process to read-only access to only the specific directories containing legitimate expert advisor files, preventing directory traversal from granting access to sensitive system files even if the code is exploited. For deployment contexts where multiple users share the same metatrader-4-mcp instance, enforce strong authentication and limit credential distribution only to trusted operators. Monitor file system access logs for suspicious path patterns containing ../ or unexpected file reads from users of the service. Consider disabling the sync_ea_from_file component entirely if not actively used, reducing the attack surface until a patched version is released.

Share

EUVD-2026-26777 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy