CVE-2026-7216
Published: 28 April 2026
Summary
CVE-2026-7216 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as APIs and Models; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of the sketch_name argument in processing_server.py to block path traversal sequences like '../', directly preventing remote exploitation of this CWE-22 vulnerability.
Mandates timely remediation of the specific path traversal flaw in the create_sketch tool up to commit e017b20a4b592a45531a6392f494007f04e661bd, eliminating the vulnerability despite the rolling release model.
Enforces access control policies to deny unauthorized file access outside the intended directory, providing defense-in-depth even if input validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated path traversal in processing_server.py (create_sketch) directly enables exploitation of public-facing applications (T1190) and facilitates arbitrary file writes for tool ingress (T1105).
NVD Description
A weakness has been identified in donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd. Impacted is an unknown function of the file processing_server.py of the component create_sketch Tool. This manipulation of the argument sketch_name causes path traversal. Remote exploitation of the attack is…
more
possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-7216 is a path traversal vulnerability (CWE-22) affecting the donchelo/processing-claude-mcp-bridge project up to commit e017b20a4b592a45531a6392f494007f04e661bd. The flaw exists in an unknown function within the processing_server.py file of the create_sketch tool, where manipulation of the sketch_name argument enables path traversal.
Remote attackers require no privileges (PR:N) and can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Exploitation yields low impacts to confidentiality, integrity, and availability (C:L/I:L/A:L), resulting in a CVSS v3.1 base score of 7.3 in an unchanged scope (S:U). A public exploit is available and could be used for attacks.
The project follows a rolling release approach, providing no specific details on affected or updated versions. Developers were informed early via GitHub issue #1 but have not responded. Mitigation details are absent from available advisories, with references including the project repository (https://github.com/donchelo/processing-claude-mcp-bridge/), the issue tracker (https://github.com/donchelo/processing-claude-mcp-bridge/issues/1), and VULDB entries (https://vuldb.com/submit/802090, https://vuldb.com/vuln/359816, https://vuldb.com/vuln/359816/cti).
Details
- CWE(s)
AI Security AnalysisAI
- AI Category
- APIs and Models
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: claude, mcp