CVE-2026-7386: fatbobman mail-mcp-bridge Path Traversal Vulnerability
The National Vulnerability Database has disclosed CVE-2026-7386, a high-severity path traversal flaw in fatbobman mail-mcp-bridge versions up to 1.3.3. This vulnerability, stemming from an unspecified function within src/mail_mcp_server.py, can be triggered remotely by manipulating the message_ids argument.
Rated with a CVSS v3.1 score of 7.3, this issue allows an unauthenticated attacker to traverse directories, potentially leading to unauthorized access to sensitive files, information disclosure, or even arbitrary file creation/modification. The National Vulnerability Database notes that an exploit has been publicly disclosed, significantly increasing the immediate risk to unpatched systems.
Defenders must prioritize patching. The vendor has released a fix in version 1.3.4, specifically patch 638b162b26532e32fa8d8047f638537dbdfe197a. Upgrading affected mail-mcp-bridge components immediately is the only way to mitigate this critical risk.
What This Means For You
- If your organization uses fatbobman mail-mcp-bridge, check your version immediately. An unauthenticated attacker can exploit CVE-2026-7386 remotely to achieve path traversal, potentially compromising your mail server or other connected systems. Patch to version 1.3.4 without delay and review logs for any suspicious activity related to `message_ids` manipulation.
Related ATT&CK Techniques
🛡️ Detection Rules
5 rules · 6 SIEM formats5 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Web Application Exploitation Attempt — CVE-2026-7386
title: Web Application Exploitation Attempt — CVE-2026-7386
id: scw-2026-04-29-1
status: experimental
level: high
description: |
Detects common exploitation patterns targeting web applications. Review CVE-2026-7386 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-04-29
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7386/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..'
- 'SELECT'
- 'UNION'
- '<script'
- 'cmd='
- '/etc/passwd'
condition: selection
falsepositives:
- Legitimate activity from CVE-2026-7386
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7386 | Path Traversal | fatbobman mail-mcp-bridge up to version 1.3.3 |
| CVE-2026-7386 | Path Traversal | Vulnerable file: src/mail_mcp_server.py |
| CVE-2026-7386 | Path Traversal | Vulnerable argument: message_ids |
| CVE-2026-7386 | Patch | Upgrade fatbobman mail-mcp-bridge to version 1.3.4 or apply patch 638b162b26532e32fa8d8047f638537dbdfe197a |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 29, 2026 at 19:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7389: EyouCMS SQL Injection Vulnerability Exposed
CVE-2026-7389 — A security vulnerability has been detected in EyouCMS up to 1.7.9. The affected element is the function GetSortData of the file application/common.php. The...
CVE-2026-7388 — A weakness has been identified in EyouCMS up to 1.7.9.
CVE-2026-7388 — A weakness has been identified in EyouCMS up to 1.7.9. Impacted is the function editFile of the file application/admin/logic/FilemanagerLogic.php of the component Template...
Pardus OS My Computer Vulnerability Allows OS Command Injection
CVE-2026-6849 — Improper neutralization of special elements used in an OS command ('OS command injection') vulnerability in TUBITAK BILGEM Software Technologies Research Institute Pardus OS...