CVE-2026-7216: donchelo processing-claude-mcp-bridge Path Traversal
The National Vulnerability Database has disclosed CVE-2026-7216, a high-severity path traversal vulnerability (CVSS 7.3) in donchelo processing-claude-mcp-bridge up to commit e017b20a4b592a45531a6392f494007f04e661bd. Specifically, an unknown function within processing_server.py, part of the create_sketch Tool component, is vulnerable. Manipulating the sketch_name argument allows for remote path traversal.
This isn’t a theoretical flaw; an exploit has been publicly released, making remote attacks feasible. The project maintains a rolling release model, so no specific affected or patched versions are cited. Crucially, the National Vulnerability Database notes that the project was informed of this issue via an early report but has yet to respond.
For defenders, this is a clear and present danger. Public exploits mean attackers don’t need to be sophisticated; they just need to find exposed instances. The lack of a vendor response or clear patching guidance for a rolling release model complicates defense significantly. Attackers will leverage this window of opportunity, exploiting systems that are either unpatched or where administrators are unaware of the risk.
What This Means For You
- If your organization uses `donchelo processing-claude-mcp-bridge`, you are exposed to remote path traversal via CVE-2026-7216. Given the public exploit and lack of vendor response, assume compromise attempts are imminent. Immediately identify all instances of this software in your environment and assess your risk. If you cannot patch, isolate or remove these instances from internet exposure.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7216: donchelo processing-claude-mcp-bridge Path Traversal Attempt
title: CVE-2026-7216: donchelo processing-claude-mcp-bridge Path Traversal Attempt
id: scw-2026-04-28-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-7216 by looking for requests to the processing-claude-mcp-bridge component that include the 'sketch_name' parameter and contain directory traversal sequences ('../'). This indicates an attempt to manipulate the sketch_name argument to access files outside of the intended directory.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7216/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/sketch_name='
cs-uri-query|contains:
- '../'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7216 | Path Traversal | donchelo processing-claude-mcp-bridge up to e017b20a4b592a45531a6392f494007f04e661bd |
| CVE-2026-7216 | Path Traversal | Vulnerable component: create_sketch Tool |
| CVE-2026-7216 | Path Traversal | Vulnerable file: processing_server.py |
| CVE-2026-7216 | Path Traversal | Vulnerable argument: sketch_name |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 28, 2026 at 06:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7223: BigSweetPotatoStudio HyperChat SSRF Vulnerability
CVE-2026-7223 — A vulnerability was identified in BigSweetPotatoStudio HyperChat up to 2.0.0-alpha.63. Affected by this issue is the function fetch of the file packages/core/src/http/aiProxyMiddleware.mts of...
TencentCloudBase CloudBase-MCP SSRF Vulnerability (CVE-2026-7221)
CVE-2026-7221 — A vulnerability was found in TencentCloudBase CloudBase-MCP up to 2.17.0. Affected is the function openUrl of the file mcp/src/interactive-server.ts of the component open-url...
CVE-2026-7220: FastlyMCP Command Injection Exposes Infrastructure
CVE-2026-7220 — A vulnerability has been found in jackwrichards FastlyMCP up to 6f3d0b0e654fc51076badc7fa16c03c461f95620. This impacts an unknown function of the file fastly-mcp.mjs of the component...