Cyber Resilience

CVE-2026-7398

Medium

Published: 29 April 2026

Published
29 April 2026
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0009 25.3th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7398 is a medium-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-7398 is a path traversal vulnerability (CWE-22) identified in the florensiawidjaja BioinfoMCP project up to commit 7ada7918b9e515604d3c0ae264d3a9af10bf6e54. The flaw affects the Upload function in the file bioinfo_mcp_platform/app.py, specifically within the Upload Endpoint, where manipulation of the 'Name' argument enables attackers to traverse directories.

The vulnerability can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation grants limited impacts on confidentiality, integrity, and availability, such as reading or modifying files outside the intended directory. A public exploit is available, increasing the risk of real-world attacks.

Advisories note that BioinfoMCP employs continuous delivery with rolling releases, providing no specific details on affected or updated versions. The project was informed early through GitHub issue #2 but has not responded. Relevant references include the project's GitHub repository (https://github.com/florensiawidjaja/BioinfoMCP/), the issue tracker (https://github.com/florensiawidjaja/BioinfoMCP/issues/2), and VulDB entries (https://vuldb.com/submit/803488, https://vuldb.com/vuln/360122, https://vuldb.com/vuln/360122/cti).

EU & UK References

Vulnerability details

A weakness has been identified in florensiawidjaja BioinfoMCP up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54. This vulnerability affects the function Upload of the file bioinfo_mcp_platform/app.py of the component Upload Endpoint. This manipulation of the argument Name causes path traversal. The attack can be initiated…

more

remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

The path traversal vulnerability in the remote unauthenticated upload endpoint of a public-facing web application directly enables T1190 (exploiting the public-facing app) and facilitates T1105 (arbitrary file ingress to unintended directories via manipulated 'Name' parameter).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-41180Shared CWE-22
CVE-2026-39308Shared CWE-22
CVE-2026-21878Shared CWE-22
CVE-2026-27969Shared CWE-22
CVE-2026-6957Shared CWE-22
CVE-2026-32055Shared CWE-22
CVE-2026-23949Shared CWE-22
CVE-2026-41589Shared CWE-22
CVE-2026-33183Shared CWE-22
CVE-2025-41714Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates path traversal by requiring validation of the 'Name' argument in the Upload endpoint to block directory traversal sequences like '../'.

prevent

Addresses the specific flaw in bioinfo_mcp_platform/app.py by identifying, reporting, and correcting the path traversal vulnerability.

prevent

Enforces logical access controls to ensure the Upload function only permits access to intended directories, limiting path traversal exploitation.

References