Description
A vulnerability was identified in debugmcp mcp-debugger up to 0.20.0. Impacted is the function handleGetSourceContext of the file src/server.ts. The manipulation leads to path traversal. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the handleGetSourceContext operation within the server component of debugmcp's mcp‑debugger, exploiting a path traversal weakness (CWE‑22). An attacker who can reach the server remotely can manipulate the input to the function to reference files outside the intended source context, potentially reading arbitrary files on the host. The publicly available exploit can be executed without authentication, enabling disclosure of sensitive data and compromising confidentiality.

Affected Systems

Compiled files and runtimes of debugmcp's mcp‑debugger up to and including version 0.20.0 are vulnerable. The weakness is exercised through the src/server.ts module, affecting any environment where the server component is exposed to external network traffic.

Risk and Exploitability

The CVSS Base score of 5.3 indicates a moderate severity, but the absence of an EPSS rating prevents a precise assessment of current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog, yet a publicly documented exploit exists, pointing to a tangible risk. Since the attack vector is remote, any system running an exposed instance of the affected mcp‑debugger could be exploited by sending crafted requests to the handleGetSourceContext endpoint.

Generated by OpenCVE AI on May 25, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mcp‑debugger to a release that includes the fix for the path traversal in handleGetSourceContext; if no official patch is available, install the latest stable release that supersedes v0.20.0.
  • Implement network segmentation or firewall rules to restrict external access to the mcp‑debugger service, limiting exposure to trusted hosts only.
  • Where possible, remove or disable the handleGetSourceContext endpoint in the application configuration and validate all file path inputs to prevent traversal; ensure the server enforces strict path normalization before accessing the filesystem.

Generated by OpenCVE AI on May 25, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in debugmcp mcp-debugger up to 0.20.0. Impacted is the function handleGetSourceContext of the file src/server.ts. The manipulation leads to path traversal. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title debugmcp mcp-debugger server.ts handleGetSourceContext path traversal
First Time appeared Debugmcp
Debugmcp mcp-debugger
Weaknesses CWE-22
CPEs cpe:2.3:a:debugmcp:mcp-debugger:*:*:*:*:*:*:*:*
Vendors & Products Debugmcp
Debugmcp mcp-debugger
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Debugmcp Mcp-debugger
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T14:45:09.859Z

Reserved: 2026-05-24T08:58:22.240Z

Link: CVE-2026-9467

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T16:30:16Z

Weaknesses