CVE-2026-7386

Source
https://cve.org/CVERecord?id=CVE-2026-7386
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7386.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-7386
Published
2026-04-29T15:00:14.719Z
Modified
2026-07-08T08:10:01.232060206Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
fatbobman mail-mcp-bridge mail_mcp_server.py path traversal
Details

A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mailmcpserver.py. Executing a manipulation of the argument message_ids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 1.3.4 is able to address this issue. This patch is called 638b162b26532e32fa8d8047f638537dbdfe197a. Upgrading the affected component is recommended.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "1.3.1"
                },
                {
                    "last_affected": "1.3.1"
                },
                {
                    "introduced": "1.3.2"
                },
                {
                    "last_affected": "1.3.2"
                },
                {
                    "introduced": "1.3.3"
                },
                {
                    "last_affected": "1.3.3"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/7xxx/CVE-2026-7386.json",
    "cwe_ids": [
        "CWE-22"
    ],
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/fatbobman/mail-mcp-bridge

Affected ranges

Type
GIT
Repo
https://github.com/fatbobman/mail-mcp-bridge
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "1.3.0"
        },
        {
            "last_affected": "1.3.0"
        }
    ]
}

Affected versions

1.*
1.3.0
v1.*
v1.3.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-7386.json"