lowCVE-2026-15138

mcp-text-editor Path Traversal Vulnerability

A security vulnerability has been detected in tumf mcp-text-editor up to 1.0.2. This issue affects the function _validate_file_path of the file mcp_text_editor/text_editor.py. Such manipulation of the argument file_path leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor closed the GitHub issue for this vulnerability without any explanation.

Productmcp-text-editor
CVSS2.1
EPSS0.00347
UpdatedJuly 10, 2026

Quick answer

tumf mcp-text-editor should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • mcp-text-editor up to 1.0.2

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

mcp-text-editor 1.0.2 and earlier did not safely constrain file paths, allowing path traversal outside the intended workspace. Disable or update the MCP server, restrict filesystem roots, and review any files the tool may have accessed.

  1. Inventory environments running the tumf mcp-text-editor MCP server version 1.0.2 or earlier.
  2. Update to a fixed version if available, or remove the server from MCP configuration until a safe release is installed.
  3. Run the MCP server with an isolated low-privilege account and a dedicated workspace directory.
  4. Enforce filesystem sandboxing or container mounts so the server cannot read or write outside approved paths.
  5. Review MCP client logs and shell history for path traversal strings, absolute paths, or attempts to access secrets.
  6. Rotate credentials stored near exposed workspaces if traversal could have read configuration or secret files.
  7. Document approved MCP servers and remove unused tools from developer workstations and automation hosts.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm mcp-text-editor is updated, disabled, or removed from active MCP configurations.
  • Validate traversal paths cannot read or write outside the configured workspace.
  • Review MCP logs for attempted access to sensitive paths.
  • Confirm the MCP process runs with least privilege and restricted filesystem access.
  • Run a Fixnx scan and confirm no MCP-related management interface is publicly exposed.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-15138?

tumf mcp-text-editor versions listed as affected should be reviewed: mcp-text-editor up to 1.0.2.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.