CVE-2026-7404: mcpo-simple-server Vulnerability Exposes Data via Path Traversal
The National Vulnerability Database has disclosed CVE-2026-7404, a high-severity (CVSS 7.3) relative path traversal vulnerability impacting getsimpletool mcpo-simple-server up to version 0.2.0. This flaw resides within the delete_shared_prompt function in src/mcpo_simple_server/services/prompt_manager/base_manager.py.
Attackers can exploit this by manipulating the detail argument, allowing remote path traversal. The critical issue here is that an exploit has been publicly released, meaning the window between disclosure and active exploitation is effectively zero. Defenders need to assume this is already in the wild.
This vulnerability, categorized under CWE-22 (Path Traversal) and CWE-23 (Relative Path Traversal), allows unauthorized access to sensitive files and potentially arbitrary file deletion. Despite early notification via an issue report, the project maintainers have yet to respond, leaving users exposed.
What This Means For You
- If your organization uses getsimpletool mcpo-simple-server, immediately audit your deployments for versions up to 0.2.0. Given the public exploit and lack of vendor response, assume compromise until proven otherwise. Isolate these systems and prepare to patch or disable if you cannot upgrade.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7404: mcpo-simple-server Path Traversal in delete_shared_prompt
title: CVE-2026-7404: mcpo-simple-server Path Traversal in delete_shared_prompt
id: scw-2026-04-29-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-7404 by targeting the delete_shared_prompt function in mcpo-simple-server. The vulnerability allows path traversal via the 'detail' parameter, enabling attackers to access sensitive files. This rule specifically looks for the vulnerable URI path and the presence of the 'detail' parameter in the query string.
author: SCW Feed Engine (AI-generated)
date: 2026-04-29
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7404/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/prompt_manager/delete_shared_prompt'
cs-uri-query|contains:
- 'detail='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7404 | Path Traversal | getsimpletool mcpo-simple-server up to 0.2.0 |
| CVE-2026-7404 | Path Traversal | function delete_shared_prompt in src/mcpo_simple_server/services/prompt_manager/base_manager.py |
| CVE-2026-7404 | Path Traversal | manipulation of argument 'detail' leading to relative path traversal |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 30, 2026 at 00:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7408 — SourceCodester Pizzafy Ecommerce System SQL Injection
CVE-2026-7408 — A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function save_menu of the file /admin/ajax.php?action=save_menu. Performing...
CVE-2026-7407 — SourceCodester Pizzafy Ecommerce System SQL Injection
CVE-2026-7407 — A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function save_settings of the file...
CVE-2026-7403 — Geldata Gel-Mcp Path Traversal
CVE-2026-7403 — A security flaw has been discovered in geldata gel-mcp 0.1.0. This impacts the function list_rules/fetch_rule of the file src/gel_mcp/server.py. The manipulation of the...