CVE-2026-7398
Published: 29 April 2026
Summary
CVE-2026-7398 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates path traversal by requiring validation of the 'Name' argument in the Upload endpoint to block directory traversal sequences like '../'.
Addresses the specific flaw in bioinfo_mcp_platform/app.py by identifying, reporting, and correcting the path traversal vulnerability.
Enforces logical access controls to ensure the Upload function only permits access to intended directories, limiting path traversal exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability in the remote unauthenticated upload endpoint of a public-facing web application directly enables T1190 (exploiting the public-facing app) and facilitates T1105 (arbitrary file ingress to unintended directories via manipulated 'Name' parameter).
NVD Description
A weakness has been identified in florensiawidjaja BioinfoMCP up to 7ada7918b9e515604d3c0ae264d3a9af10bf6e54. This vulnerability affects the function Upload of the file bioinfo_mcp_platform/app.py of the component Upload Endpoint. This manipulation of the argument Name causes path traversal. The attack can be initiated…
more
remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
Deeper analysisAI
CVE-2026-7398 is a path traversal vulnerability (CWE-22) identified in the florensiawidjaja BioinfoMCP project up to commit 7ada7918b9e515604d3c0ae264d3a9af10bf6e54. The flaw affects the Upload function in the file bioinfo_mcp_platform/app.py, specifically within the Upload Endpoint, where manipulation of the 'Name' argument enables attackers to traverse directories.
The vulnerability can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation grants limited impacts on confidentiality, integrity, and availability, such as reading or modifying files outside the intended directory. A public exploit is available, increasing the risk of real-world attacks.
Advisories note that BioinfoMCP employs continuous delivery with rolling releases, providing no specific details on affected or updated versions. The project was informed early through GitHub issue #2 but has not responded. Relevant references include the project's GitHub repository (https://github.com/florensiawidjaja/BioinfoMCP/), the issue tracker (https://github.com/florensiawidjaja/BioinfoMCP/issues/2), and VulDB entries (https://vuldb.com/submit/803488, https://vuldb.com/vuln/360122, https://vuldb.com/vuln/360122/cti).
Details
- CWE(s)