CVE-2026-7314
Published: 28 April 2026
Summary
CVE-2026-7314 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal exploitation by requiring validation of the document_name input argument to block traversal sequences like '../'.
Addresses the root cause by requiring timely identification, reporting, and remediation of the flaw in get_doc_path, including patching when available despite vendor non-response.
Provides network boundary protection to monitor and filter remote requests, blocking crafted document_name payloads indicative of path traversal attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing server enables remote unauth exploitation (T1190) for arbitrary file reads (T1005) and stored data modification (T1565.001).
NVD Description
A vulnerability was detected in eiceblue spire-doc-mcp-server 1.0.0. This affects the function get_doc_path of the file src/spire_doc_mcp/api/base.py. Performing a manipulation of the argument document_name results in path traversal. The attack can be initiated remotely. The exploit is now public and…
more
may be used. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-7314 is a path traversal vulnerability (CWE-22) in eiceblue spire-doc-mcp-server version 1.0.0, affecting the get_doc_path function in the file src/spire_doc_mcp/api/base.py. The issue arises from improper handling of the document_name argument, allowing attackers to manipulate it and traverse to arbitrary paths. It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.
Remote attackers without authentication can exploit this vulnerability by sending crafted requests to the server, potentially reading or modifying files outside the intended directory. Successful exploitation grants low-level impacts on confidentiality, integrity, and availability, such as accessing sensitive configuration files or overwriting data in accessible paths.
Advisories from VulDB note that the project was informed early via GitHub issue #1 but has not responded or issued patches as of publication on 2026-04-28. The exploit is public and may be actively used, with details available in the referenced GitHub repository and VulDB entries; security practitioners should monitor for updates and consider isolating or restricting access to affected instances until remediation.
Exploitation is feasible given the public PoC, though no widespread real-world incidents are reported in available data.
Details
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp