Path Traversal Vulnerability in Mobile Next MCP Server for Mobile Development
CVE-2026-33989

8.1HIGH

Key Information:

Vendor

Mobile-next

Status
Mobile-mcp
Vendor
CVE Published:
27 March 2026

What is CVE-2026-33989?

The Mobile Next MCP Server, utilized for mobile development and automation, was found to be vulnerable due to an unvalidated input in its mobile_save_screenshot and mobile_start_screen_recording functionalities. The saveTo and output parameters were directly utilized in filesystem operations, allowing attackers to manipulate file paths and write files outside the designated workspace. This poses significant security risks, including unauthorized access to sensitive data. The issue has been addressed in version 0.0.49, reinforcing the importance of input validation for robust security.

Affected Version(s)

mobile-mcp < 0.0.49

References

https://github.com/mobile-next/mobile-mcp/security/adviso...
x_refsource_CONFIRM
https://github.com/mobile-next/mobile-mcp/commit/f5e32295...
x_refsource_MISC
https://github.com/mobile-next/mobile-mcp/releases/tag/0....
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.