engineer-your-data Workspace Boundary Bypass in File Operations (CWE-73)

engineer-your-data Workspace Boundary Bypass in File Operations Vulnerability Report Vulnerability Overview This vulnerability is classified as CNA / Submission Type, with type CVE ID request, submitted by independent security researcher wing3e on April 10, 2026. Vulnerability Type CWE: CWE-73 (External Control of File Name or Path) Brief Description: File tools ignore the configured boundary Affected Versions Confirmed Affected: 0.1.3 Suspected Affected Range: Versions containing the same request to sink flow revisions Fixed Version: Not provided at time of report (April 10, 2026) Vulnerability Description The project documentation declares as the directory for the user data workspace, but the actual file tools ( , , , ) do not enforce this boundary. They accept arbitrary paths from the caller, directly convert them to , and operate immediately. This allows an attacker to read from or write to any file accessible by the service account, not limited to the configured workspace. Technical Root Cause 1. Server advertises dedicated workspace root directory - - 2. README explicitly instructs users to configure the workspace root directory - - Claude Desktop example sets to 3. Tool execution passes raw MCP parameters directly to registry implementation - 4. ignores and directly opens arbitrary paths - - 5. performs the same operation for writing - - 6. and are also unrestricted - - Attack Prerequisites Ability to call exposed MCP file tools Service account must have permission to read from or write to target paths No wrapper rewrites or restricts file paths before they reach the tool registry Proof of Concept / Reproduction Guide The repository exposes direct arbitrary reads even when is set to a different location. 1. Call the real tool: 2. Why this triggers: The tool converts to No code joins the path with or checks if it remains under the configured workspace If the file is readable, it is opened directly and returned 3. Expected Result: Returns the content of even if points elsewhere Parallel write primitive exists via Security Impact Confidentiality: High, as it can disclose any readable host file Integrity: High, as it can create or overwrite any writable host file Availability: Medium, as arbitrary writes may corrupt or disrupt local workflows Scope: Unchanged CVSS V3.1 Recommendation Suggested Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L Suggested Base Score: 9.1 (Critical) Workarounds / Mitigations Enforce as a hard root for each file-oriented tool Run the service under a restricted account that cannot access sensitive host paths Disable file write tools in untrusted deployments until boundary checks are added Consider using separate allowlists for read-only and writable paths Recommended Fixes Resolve each requested path against and reject any escape paths Apply the same workspace enforcement to , , , Add regression tests for absolute paths, symlink traversal, and Windows drive path inputs Update documentation to match the patched enforced behavior References Repository: https://github.com/eghuzefa/engineer-your-data-mcp.git Reviewed Source Files: , CWE-73: https://cwe.mitre.org/data/definitions/73.html Credit Discoverer: wing3e Discovery Method: Static analysis (CodeQL) combined with repository source code audit Additional Notes from Form Mapping Audit Conclusion: Vulnerability confirmed Total Reviewed SARIF Results: 16 Core Issue: Mismatch between documented workspace root model and unconstrained implementation Dynamic Exploitation Replay Status: PoC verified in batch via source-level requests to sink analysis

Goal Reached Thanks to every supporter — we hit 100%!

engineer-your-data Workspace Boundary Bypass in File Operations (CWE-73)

More from this source