CVE-2026-7386 - Vulnerability Details

- fatbobman mail-mcp-bridge mail_mcp_server.py path traversal

Description

A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mail_mcp_server.py. Executing a manipulation of the argument message_ids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 1.3.4 is able to address this issue. This patch is called 638b162b26532e32fa8d8047f638537dbdfe197a. Upgrading the affected component is recommended.

Published: 2026-04-29

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw exists in fatbobman mail-mcp-bridge up to version 1.3.3 that allows an attacker to manipulate the message_ids argument in src/mail_mcp_server.py. This manipulation enables a path traversal attack, potentially granting read or write access to arbitrary files on the host system. The vulnerability is present in a function with unclear internal name, but its exploitation could result in a breach of confidentiality and the ability to modify system files, which may impact availability as well.

Affected Systems

The affected product is fatbobman mail-mcp-bridge, with all releases up to and including 1.3.3 susceptible. Version 1.3.4 includes a fix based on commit 638b162b26532e32fa8d8047f638537dbdfe197a. No other products or vendors are noted as affected.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. An EPSS score is not available, and the vulnerability is not listed in CISA KEV, yet the exploit has already been published and is considered remotely executable. The attack vector is inferred to be remote, as the description specifies that the exploit can be triggered without local access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

fatbobman

mail-mcp-bridge

affected

Version	Status	Constraints
`1.3.0`	affected	—
`1.3.1`	affected	—
`1.3.2`	affected	—
`1.3.3`	affected	—
`1.3.4`	unaffected	—

No data.

Vendor Product Confidence Versions

Fatbobman

Mail-mcp-bridge

100%

Version	Status	Scheme	Platform
`1.3.0`	affected	semver	—
`1.3.1`	affected	semver	—
`1.3.2`	affected	semver	—
`1.3.3`	affected	semver	—
`1.3.4`	unaffected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade fatbobman mail-mcp-bridge to version 1.3.4 or apply the patch corresponding to commit 638b162b26532e32fa8d8047f638537dbdfe197a
If an immediate upgrade is not feasible, restrict or sanitize the message_ids parameter to prevent path traversal, such as removing leading dots or disallowing directory separators
Monitor incoming requests for unusual message_ids patterns and log any attempts to access sensitive file paths

Generated by OpenCVE AI on April 29, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00051.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/fatbobman/mail-mcp-bridge/
https://github.com/fatbobman/mail-mcp-bridge/commit/638b162b26532e32fa8d8047f638537dbdfe197a
https://github.com/fatbobman/mail-mcp-bridge/issues/2
https://github.com/fatbobman/mail-mcp-bridge/releases/tag/1.3.4
https://vuldb.com/submit/803096
https://vuldb.com/vuln/360107
https://vuldb.com/vuln/360107/cti

History

Thu, 30 Apr 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fatbobman Fatbobman mail-mcp-bridge
Vendors & Products		Fatbobman Fatbobman mail-mcp-bridge

Wed, 29 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 29 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mail_mcp_server.py. Executing a manipulation of the argument message_ids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 1.3.4 is able to address this issue. This patch is called 638b162b26532e32fa8d8047f638537dbdfe197a. Upgrading the affected component is recommended.
Title		fatbobman mail-mcp-bridge mail_mcp_server.py path traversal
Weaknesses		CWE-22
References		https://github.com/fatbobman/mail-mcp-bridge/ https://github.com/fatbobman/mail-mcp-bridge/commit/638b162b26532e32fa8d8047f638537dbdfe197a https://github.com/fatbobman/mail-mcp-bridge/issues/2 https://github.com/fatbobman/mail-mcp-bridge/releases/tag/1.3.4 https://vuldb.com/submit/803096 https://vuldb.com/vuln/360107 https://vuldb.com/vuln/360107/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Fatbobman Mail-mcp-bridge

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-29T15:00:14.719Z

Updated: 2026-04-29T15:32:11.201Z

Reserved: 2026-04-29T08:47:29.276Z

Link: CVE-2026-7386

Vulnrichment

Updated: 2026-04-29T15:32:03.351Z

NVD

Status : Deferred

Published: 2026-04-29T16:16:29.333

Modified: 2026-04-29T21:16:21.590

Link: CVE-2026-7386

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T08:21:03Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object