Security Flaw in Repomix Affects Local File Safety Checks
CVE-2026-49988

6.8MEDIUM

Key Information:

Vendor

Yamadashy

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-49988?

Repomix, a tool for packaging repositories into AI-friendly files, has a security issue where the MCP server's attach_packed_output and read_repomix_output functions can read arbitrary local files such as .json, .txt, .md, or .xml. This vulnerability arises due to the absence of critical safety checks and packed-output validation, enabling unauthorized access to sensitive local files. This flaw was addressed in version 1.14.1, emphasizing the importance of keeping software updated to safeguard against unauthorized file access.

Affected Version(s)

repomix < 1.14.1

References

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.