QwikSec

Security Database

CVE

CWE

Training

CVE-2026-7386

Published: Apr 29, 2026

Modified: Apr 29, 2026

PUBLISHED

CVSS v3.1

7.3

HIGH

Description

A flaw has been found in fatbobman mail-mcp-bridge up to 1.3.3. Affected is an unknown function of the file src/mail_mcp_server.py. Executing a manipulation of the argument message_ids can lead to path traversal. The attack can be executed remotely. The exploit has been published and may be used. Upgrading to version 1.3.4 is able to address this issue. This patch is called 638b162b26532e32fa8d8047f638537dbdfe197a. Upgrading the affected component is recommended.

Vendor	Product	Versions
fatbobman	mail-mcp-bridge	affected `1.3.0` affected `1.3.1` affected `1.3.2` affected `1.3.3` unaffected `1.3.4`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

VDB-360107 | fatbobman mail-mcp-bridge mail_mcp_server.py path traversal

vdb-entry

technical-description

VDB-360107 | CTI Indicators (IOB, IOC, TTP, IOA)

signature

permissions-required

Submit #803096 | fatbobman mail-mcp-bridge d9e7d9acc2abcf9da8252d76506fc5afbc08d08e Path Traversal

third-party-advisory

https://github.com/fatbobman/mail-mcp-bridge/issues/2

exploit

issue-tracking

https://github.com/fatbobman/mail-mcp-bridge/commit/638b162b26532e32fa8d8047f638537dbdfe197a

patch

https://github.com/fatbobman/mail-mcp-bridge/releases/tag/1.3.4

patch

https://github.com/fatbobman/mail-mcp-bridge/

product

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.