Path Traversal Vulnerability in fatbobman mail-mcp-bridge
CVE-2026-7386

6.9MEDIUM

Key Information:

Vendor: Fatbobman
Status: Mail-mcp-bridge
Vendor: CVE Published:; 29 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-7386?

A path traversal vulnerability exists in the fatbobman mail-mcp-bridge up to version 1.3.3, caused by improper validation of the 'message_ids' argument in the src/mail_mcp_server.py file. This flaw allows for remote attackers to manipulate the input and access unauthorized paths on the server. To mitigate this issue, users should upgrade to version 1.3.4 where a fix has been implemented. Details of the patch can be found in the GitHub repository.

Affected Version(s)

mail-mcp-bridge 1.3.0

mail-mcp-bridge 1.3.1

mail-mcp-bridge 1.3.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-7386 - Proof of Concept

References

https://vuldb.com/vuln/360107

vdb-entrytechnical-description

https://vuldb.com/vuln/360107/cti

signaturepermissions-required

https://vuldb.com/submit/803096

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 29, 2026
👾
Exploit known to exist
Apr 29, 2026
Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

LittleW (VulDB User)

CVE-2026-7386 Data

JSON

Fatbobman