Cyber Resilience

CVE-2026-7594

Medium

Published: 01 May 2026

Published
01 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 20.6th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7594 is a medium-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-7594 is a path traversal vulnerability (CWE-22) in Flux159 mcp-game-asset-gen version 0.1.0. The issue affects the image_to_3d_async function within the src/index.ts file of the MCP Interface component, where manipulation of the statusFile argument enables traversal outside intended directories.

The vulnerability allows remote attackers to exploit it over the network with low complexity, requiring no privileges or user interaction (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, score 7.3). Successful exploitation can result in limited impacts to confidentiality, integrity, and availability, such as unauthorized file reads, modifications, or disruptions via path traversal.

Advisories from VulDB and the project's GitHub repository indicate the vulnerability was reported early via issue #3, but the maintainers have not responded or issued patches. No mitigations or fixes are currently available, and users should monitor the repository for updates.

The exploit is public and may be used in attacks, with details available through VulDB entries and the GitHub issue.

EU & UK References

Vulnerability details

A vulnerability was detected in Flux159 mcp-game-asset-gen 0.1.0. Affected is the function image_to_3d_async of the file src/index.ts of the component MCP Interface. The manipulation of the argument statusFile results in path traversal. The attack can be executed remotely. The exploit…

more

is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in network-accessible component enables remote exploitation of public-facing application (T1190) and unauthorized reads of local system files (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-7149Shared CWE-22
CVE-2026-7272Shared CWE-22
CVE-2026-7386Shared CWE-22
CVE-2026-7205Shared CWE-22
CVE-2026-7319Shared CWE-22
CVE-2026-7315Shared CWE-22
CVE-2026-7212Shared CWE-22
CVE-2026-7810Shared CWE-22
CVE-2025-61913Shared CWE-22
CVE-2026-7384Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates the manipulable statusFile argument in image_to_3d_async to block path traversal sequences like '../'.

prevent

Remediates the specific path traversal flaw in Flux159 mcp-game-asset-gen 0.1.0 by identifying, prioritizing, and applying vendor patches or workarounds promptly.

detect

Scans and monitors for CVE-2026-7594 in deployed instances of the vulnerable MCP Interface component to identify exposure before exploitation.

References