CVE-2026-7212: notes-mcp has a Path Traversal issue

April 28, 2026 (updated May 6, 2026)

A security vulnerability has been detected in edvardlindelof notes-mcp up to 0.1.4. This affects an unknown function of the file notes_mcp.py. The manipulation of the argument root_dir/path leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

References

github.com/advisories/GHSA-vc5j-42hh-j3mr
github.com/edvardlindelof/notes-mcp
github.com/edvardlindelof/notes-mcp/issues/2
nvd.nist.gov/vuln/detail/CVE-2026-7212
vuldb.com/submit/802084
vuldb.com/vuln/359808
vuldb.com/vuln/359808/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-7212 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →