Description
A vulnerability was found in ruvnet sublinear-time-solver 1.5.0. Affected by this vulnerability is the function export_state of the file src/consciousness-explorer/mcp/server.js of the component MCP Interface. The manipulation results in path traversal. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-02
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a path traversal in the export_state function of src/consciousness-explorer/mcp/server.js. An attacker can supply a crafted file path and read or modify arbitrary files on the server, exposing sensitive data and potentially enabling further attacks. This flaw is a local file access issue (CWE-22) that can compromise confidentiality and integrity of the system.

Affected Systems

Affected software is ruvnet sublinear-time-solver version 1.5.0, specifically the MCP Interface component. Only this version is listed; no newer versions with a fix are known.

Risk and Exploitability

The CVSS score is 6.9, indicating medium‑high risk. No EPSS data and the vulnerability is not listed in CISA KEV. A proof‑of‑concept exploit is publicly available, and the attack can be carried out remotely via the exported endpoint. The lack of vendor response raises the likelihood that the vulnerability could be actively used in the wild.

Generated by OpenCVE AI on May 2, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict access to the export_state endpoint to trusted users or internal networks, removing external exposure when possible.
  • Implement strict input validation to reject directory traversal sequences and only allow whitelisted filenames.
  • Monitor web server logs for unusual file requests and use intrusion detection systems to detect traversal attempts.
  • Once the vendor releases a patched version, upgrade immediately.
  • If the export_state feature is not essential, disable or remove it to eliminate the attack surface.

Generated by OpenCVE AI on May 2, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in ruvnet sublinear-time-solver 1.5.0. Affected by this vulnerability is the function export_state of the file src/consciousness-explorer/mcp/server.js of the component MCP Interface. The manipulation results in path traversal. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Title ruvnet sublinear-time-solver MCP server.js export_state path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 6.4, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-02T15:15:12.031Z

Reserved: 2026-05-01T16:35:55.927Z

Link: CVE-2026-7645

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T16:16:15.867

Modified: 2026-05-02T16:16:15.867

Link: CVE-2026-7645

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T16:30:46Z

Weaknesses