Description
A security vulnerability has been detected in 8nite metatrader-4-mcp 1.0.0. This vulnerability affects the function CallToolRequestSchema of the file src/index.ts of the component sync_ea_from_file. Such manipulation of the argument ea_name leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the 8nite metatrader‑4‑mcp component enables an attacker to manipulate the ea_name argument in CallToolRequestSchema, resulting in a path traversal condition that can be exploited remotely. By supplying a crafted value, an adversary can cause the system to resolve file paths outside the intended directory. This leads to reading or potentially executing files on the host, violating confidentiality and integrity of the system.

Affected Systems

8nite metatrader‑4‑mcp version 1.0.0 is affected. The issue pertains to the sync_ea_from_file module found in src/index.ts. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting it is not a known exploited vulnerability at this time. However, the exploitation can be performed remotely and the attacker may be able to read or access files outside the intended directory. With no official patch or response from the project, the likelihood remains uncertain but the risk persists for any system running the affected component.

Generated by OpenCVE AI on May 2, 2026 at 12:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Validate or sanitize the ea_name input to ensure it does not contain directory traversal characters such as "../" or other path manipulation sequences.
  • Restrict file access in sync_ea_from_file to a known safe base directory and reject requests that would resolve outside that directory.
  • Disable or remove the sync_ea_from_file feature if it is not required for the environment, or restrict its exposure to trusted users or network segments.

Generated by OpenCVE AI on May 2, 2026 at 12:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in 8nite metatrader-4-mcp 1.0.0. This vulnerability affects the function CallToolRequestSchema of the file src/index.ts of the component sync_ea_from_file. Such manipulation of the argument ea_name leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title 8nite metatrader-4-mcp sync_ea_from_file index.ts CallToolRequestSchema path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-02T11:00:14.647Z

Reserved: 2026-05-01T14:14:24.716Z

Link: CVE-2026-7627

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T11:15:58.083

Modified: 2026-05-02T11:15:58.083

Link: CVE-2026-7627

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:30:27Z

Weaknesses