Description
A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component create_sketch Tool. This manipulation of the argument sketch_name causes path traversal. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-28
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A path traversal flaw exists in the create_sketch Tool of processing_server.py. The flaw occurs when the sketch_name argument is manipulated, allowing an attacker to reference arbitrary file paths. This weakness, identified as CWE‑22, enables malicious users to read or potentially modify files beyond the intended sketch directory, and the description notes that remote exploitation of the attack is possible, which can lead to remote code execution if the attacker can write executable files or modify configuration files.

Affected Systems

The vulnerability affects donchelo's processing‑claude‑mcp‑bridge component. Affected versions include any release up to the commit e017b20a4b592a45531a6392f494007f04e661bd. The project uses a rolling release model, so version details for newer releases are not provided. The flaw resides in the processing_server.py module of the create_sketch Tool, which is part of the public repository at https://github.com/donchelo/processing-claude-mcp-bridge.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. EPSS data are not available, and the vulnerability is not listed in the CISA KEV catalog. The description states that the exploit has been made available to the public and that remote exploitation is possible, so the risk of attack is significant, especially if the create_sketch endpoint is exposed to untrusted users.

Generated by OpenCVE AI on April 28, 2026 at 12:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release of donchelo processing‑claude‑mcp‑bridge that resolves the path traversal issue as soon as it becomes available.
  • If a patch is not yet released, remove external access to the create_sketch endpoint or otherwise restrict the input of sketch_name to trusted directories.
  • Enforce strict file system permissions on the sketch directory to prevent arbitrary writes, enable audit logging to detect unusual file operations, and monitor logs for attempted path traversal.

Generated by OpenCVE AI on April 28, 2026 at 12:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Donchelo
Donchelo processing-claude-mcp-bridge
Vendors & Products Donchelo
Donchelo processing-claude-mcp-bridge

Tue, 28 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component create_sketch Tool. This manipulation of the argument sketch_name causes path traversal. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Title donchelo processing-claude-mcp-bridge create_sketch Tool processing_server.py path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Donchelo Processing-claude-mcp-bridge
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-28T14:32:46.612Z

Reserved: 2026-04-27T15:21:32.806Z

Link: CVE-2026-7216

cve-icon Vulnrichment

Updated: 2026-04-28T14:32:43.067Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T03:16:04.600

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T12:45:31Z

Weaknesses