_explained / matlab-mcp-server-path-traversal-flaw-exposes-files
HIGH PLAIN ENGLISH 5 min read

A Hidden Flaw in a Popular AI Coding Tool Could Let Hackers Rifle Through Your Files

A security vulnerability in a MATLAB AI assistant server lets remote attackers escape their sandbox and read — or run — files they were never meant to touch.

2026-04-28 · Read technical analysis →
💬
PLAIN ENGLISH EDITION

This article is written for general audiences — no security background needed. For the full technical analysis with CVE details, affected versions, and code-level breakdown, visit Intel Reports.

CVE-2026-7272: MATLAB MCP Server Path Traversal Vulnerability

If your team is using an AI assistant to write MATLAB code, there's a chance a remote attacker could already be reading files on your server — or running their own code on it.

Who's at Risk — and How Many People Is That?

MATLAB is the backbone of scientific computing in aerospace, automotive engineering, pharmaceutical research, and university labs worldwide. MathWorks, its creator, claims over 5 million users globally. In recent years, a wave of open-source tools has emerged to connect MATLAB to AI assistants — letting researchers and engineers type a question in plain English and get working MATLAB code back automatically.

One of those tools is matlab-mcp-server, an open-source project by WilliamCloudQi that bridges MATLAB to the Model Context Protocol (MCP) — the same protocol used by AI coding assistants like Claude. Any developer, researcher, or enterprise team that has deployed this server to supercharge their AI-assisted MATLAB workflow is potentially exposed. The vulnerability (CVE-2026-7272) carries a HIGH severity rating and can be triggered entirely over a network, no physical access required.

What Can an Attacker Actually Do?

Picture a filing cabinet in a locked room. The AI server is the assistant standing outside — you slide a note under the door asking for a specific file, and it hands one back. This vulnerability is the equivalent of discovering that if you write the note in a particular way, the assistant will wander anywhere in the building and bring back any file — your HR records, your encryption keys, your proprietary research data — not just the ones in the drawer they were supposed to use.

In practice, an attacker sends a specially crafted request to the server containing a manipulated file path — something like ../../etc/passwd or a path pointing to a sensitive configuration file deep in the system. The server, rather than staying within its intended working directory, follows the directions and fetches or executes whatever is at that location. This is a classic path traversal attack, and it's particularly dangerous here because the vulnerable functions don't just read files — they can also execute them as MATLAB scripts. That means an attacker who can write a file to anywhere on the server — through another weakness, a misconfiguration, or a shared upload folder — could then use this flaw to run that file, turning file access into full remote code execution.

What makes this especially concerning in a research or enterprise environment is the data that typically lives on MATLAB servers: simulation results, drug trial models, defense system parameters, financial modeling code, and AI training datasets. A single successful exploit could expose months or years of proprietary work to a competitor or a nation-state actor.

The Technical Detail That Matters

Security professionals take note: the vulnerability lives in the functions generate_matlab_code and execute_matlab_code inside src/index.ts of the MCP Interface layer. The scriptPath argument passed to these functions undergoes no sanitization or canonicalization before being used in file system operations — a textbook CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) finding. The affected codebase spans all commits up to and including ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca. The CVSS score is 7.3 (HIGH), with the attack vector rated as Network, complexity Low, and no privileges required — a combination that puts this firmly in the "patch immediately" category. Critically, a working proof-of-concept exploit has already been publicly published.

How Was This Found — and Has Anyone Been Hit?

The flaw was discovered and responsibly disclosed through a formal issue report submitted directly to the project. The researcher followed the correct process — giving the maintainer advance notice before going public. The project, however, has not responded to the disclosure, which is why the details are now public. This is a significant concern: an unpatched, publicly disclosed vulnerability with a published exploit and a silent maintainer is essentially an open invitation.

As of publication, no active exploitation in the wild has been confirmed. But the window between "exploit published" and "exploit used" has been shrinking for years. Security teams at organizations where matlab-mcp-server is deployed should treat this as an active incident response situation, not a routine patch cycle. The cloud deployment context flagged in the advisory means internet-exposed instances face the highest immediate risk.

What You Should Do Right Now

Here are three specific steps, in order of urgency:

  1. Audit your deployments immediately. Search your infrastructure for any running instances of matlab-mcp-server. Check for the repository at WilliamCloudQi/matlab-mcp-server and verify whether the deployed commit hash matches or predates ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca. If it does, assume the instance is vulnerable.
  2. Take vulnerable instances offline or isolate them behind a strict network firewall. Since no patched version has been released by the maintainer, the safest immediate action is to block all external network access to the server's port. If the tool is required for operations, restrict access to specific, trusted internal IP addresses only — do not expose it to the public internet under any circumstances until a fix is available.
  3. Apply a manual patch or fork the project with input sanitization. If your team has TypeScript expertise, apply path canonicalization to the scriptPath input in src/index.ts — use Node.js's path.resolve() combined with a check that the resolved path starts with your intended base directory before any file operation is performed. Document this change, pin your build to the patched commit, and monitor the upstream repository for any official response from the maintainer. If none arrives within two weeks, consider migrating to an actively maintained alternative.

CVE: CVE-2026-7272  |  CVSS: 7.3 HIGH  |  Affected versions: All commits up to ab88f6b9bf5f36f725e8628029f7f6dd0d9913ca  |  Status: Unpatched — no vendor response confirmed at time of publication.

// TOPICS
#path-traversal#arbitrary-file-access#code-execution#mcp-server#input-validation
// WANT MORE DETAIL?

The technical analysis covers the exact vulnerability mechanism, affected code paths, attack chain, detection methods, and full remediation guide.

Read technical analysis →
Share on X → Get weekly digest →
// TOOLS WE RECOMMEND
NordVPN →

Encrypt your traffic against the threats we explain here.
NordPass →

Stop credential theft. Password manager from Nord Security.
Saily eSIM →

Travel privately. eSIM data for 150+ countries, 10% off.

Affiliate links — commission earned at no cost to you.