Description
A security flaw has been discovered in dazeb cline-mcp-memory-bank up to 55c81b9cf6c16700983c84dc4cdea3cafa19a75f. The affected element is the function handleInitializeMemoryBank of the file src/index.ts. The manipulation of the argument projectPath results in path traversal. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-05-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the handleInitializeMemoryBank function of src/index.ts. An attacker can manipulate the projectPath argument to perform a path traversal, enabling reading of arbitrary files or influencing code execution paths. The flaw permits remote exploitation and the public release of exploit code indicates it is actionable.

Affected Systems

The affected product is dazeb’s cline-mcp‑memory‑bank. The known affected commit range extends up to the reference hash 55c81b9cf6c16700983c84dc4cdea3cafa19a75f. Because the project uses rolling releases, specific version numbers are not published, but any code prior to a fixed release remains vulnerable.

Risk and Exploitability

With a CVSS score of 5.3 the risk is moderate. The EPSS score is not available, and the vulnerability is not included in the CISA KEV list. The attack vector is remote; an internet‑facing instance that accepts projectPath values can be abused. The published exploit demonstrates practical feasibility, so systems should not wait for a future update before mitigating.

Generated by OpenCVE AI on May 25, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest release that includes a fix for the path traversal in handleInitializeMemoryBank once it becomes available.
  • Add validation to the projectPath parameter to reject sequences containing '..' or absolute path components.
  • Run cline‑mcp‑memory‑bank with the minimal required file system permissions or in a confined container to limit the impact of any potential exposure.

Generated by OpenCVE AI on May 25, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in dazeb cline-mcp-memory-bank up to 55c81b9cf6c16700983c84dc4cdea3cafa19a75f. The affected element is the function handleInitializeMemoryBank of the file src/index.ts. The manipulation of the argument projectPath results in path traversal. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
Title dazeb cline-mcp-memory-bank index.ts handleInitializeMemoryBank path traversal
First Time appeared Dazeb
Dazeb cline-mcp-memory-bank
Weaknesses CWE-22
CPEs cpe:2.3:a:dazeb:cline-mcp-memory-bank:*:*:*:*:*:*:*:*
Vendors & Products Dazeb
Dazeb cline-mcp-memory-bank
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Dazeb Cline-mcp-memory-bank
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-25T15:00:17.200Z

Reserved: 2026-05-24T09:01:12.751Z

Link: CVE-2026-9468

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T18:00:15Z

Weaknesses