Path Traversal Vulnerability in dexhunter kaggle-mcp Product by dexhunter
CVE-2026-7149

6.9MEDIUM

Key Information:

Vendor: Dexhunter
Status: Kaggle-mcp
Vendor: CVE Published:; 27 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-7149?

A path traversal vulnerability exists in the dexhunter kaggle-mcp project, specifically within the prepare_kaggle_dataset function located in the src/kaggle_mcp/server.py file. An attacker can exploit this vulnerability by manipulating the competition_id argument, allowing unauthorized access to files outside the intended directory. This issue is critical as it can be exploited remotely, increasing the risk of data exposure. The project employs a rolling release strategy, which complicates tracking specific affected versions, and despite early notification of the issue, a response from the developers is still pending.

Affected Version(s)

kaggle-mcp 406127ffcb2b91b8c10e20e6c2ca787fbc1dc92d

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-7149 - Proof of Concept

References

https://vuldb.com/vuln/359748

vdb-entrytechnical-description

https://vuldb.com/vuln/359748/cti

signaturepermissions-required

https://vuldb.com/submit/802052

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 27, 2026
👾
Exploit known to exist
Apr 27, 2026
Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 26, 2026

Credit

MidA (VulDB User)

VulDB CNA Team

CVE-2026-7149 Data

JSON

Dexhunter