PYSEC-2026-3426

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/wireshark-mcp/PYSEC-2026-3426.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-3426
Aliases
Published
2026-07-13T15:15:37.943032Z
Modified
2026-07-13T16:33:05.760985243Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Summary
wireshark-mcp vulnerable to arbitrary file write via export_objects when WIRESHARK_MCP_ALLOWED_DIRS is not configured
Details

Description

Impact

wireshark-mcp exposes a wireshark_export_objects MCP tool that accepts an attacker-controlled dest_dir parameter and passes it to tshark's --export-objects flag with no mandatory path restriction.

The path sandbox (_allowed_dirs) is None by default and only activates when the environment variable WIRESHARK_MCP_ALLOWED_DIRS is explicitly set. In a default installation, any directory on the filesystem can be used as the export destination.

Affected code (src/wireshark_mcp/tshark/client.py:531-543):


output_validation = self._validate_output_path(dest_dir)

# _validate_output_path only enforces the sandbox when _allowed_dirs is set.

# Default: _allowed_dirs = None → no restriction.

os.makedirs(dest_dir, exist_ok=True)   # creates arbitrary directories

cmd = [..., "--export-objects", f"{protocol},{dest_dir}"]

Attack Scenario

An attacker embeds a crafted HTTP response in a pcap file (e.g. Content-Disposition: filename=authorized_keys). Via prompt injection in the pcap payload, an AI model using this MCP server is manipulated into calling wireshark_export_objects with:


dest_dir=/home/user/.ssh/

tshark then extracts and writes the HTTP object to that path, granting the attacker SSH access.

The same technique can target:

  • /etc/cron.d/

  • Writable web roots

  • Other sensitive filesystem locations

Additional Affected Operations

The same missing sandbox affects:

  • merge_pcap_files

  • editcap_trim

  • editcap_split

  • editcap_time_shift

  • editcap_deduplicate

  • text2pcap_import

Proof of Concept

Confirmed on wireshark-mcp v1.1.5 with tshark 4.6.4.

A crafted pcap’s HTTP object was successfully written to an arbitrary filesystem path when:


_allowed_dirs = None


Patches

Not yet patched.

A fix should make the path sandbox mandatory for all file-write operations rather than optional:


# Reject all write operations when no sandbox is configured

if not self._allowed_dirs:

    return json.dumps({

        "success": False,

        "error": {

            "type": "SecurityError",

            "message": "Set WIRESHARK_MCP_ALLOWED_DIRS before using file-write operations"

        }

    })


Workarounds

Set WIRESHARK_MCP_ALLOWED_DIRS to a restricted safe directory before starting the server:


export WIRESHARK_MCP_ALLOWED_DIRS=/tmp/wireshark_mcp_safe

This activates the existing sandbox and blocks writes outside the allowed path.


Resources

  • Vulnerable code:

    • src/wireshark_mcp/tshark/client.py lines 521–543

    • src/wireshark_mcp/tshark/client.py lines 685–839

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory

  • CWE-73: External Control of File Name or Path

References

Affected packages

PyPI / wireshark-mcp

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.1.5

Affected versions

0.*
0.2.1
0.4.0
0.5.0
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
1.*
1.0.0
1.1.0
1.1.5

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/wireshark-mcp/PYSEC-2026-3426.yaml"