PatchSiren cyber security CVE debrief
CVE-2026-15526 augmnt CVE debrief
A path traversal vulnerability was found in augmnt augments-mcp-server 7.1.0. The issue affects the scanProjectDeps function in src/tools/v4/scan-project-deps.ts. Local attackers can exploit this vulnerability by manipulating the packageJsonPath argument. The vulnerability allows attackers to traverse the file system, potentially leading to unauthorized access or data exposure. Users should verify the version of augmnt augments-mcp-server and apply patches or updates if available.
- Vendor
- augmnt
- Product
- augments-mcp-server
- CVSS
- LOW 1.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Users of augmnt augments-mcp-server 7.1.0 should be aware of this path traversal vulnerability and take necessary precautions to prevent local exploitation. This includes verifying the version of the software, applying patches or updates if available, and monitoring for suspicious local activity. Security teams should review compensating controls for exposed systems while remediation is scheduled and verified.
Technical summary
The vulnerability is caused by improper handling of the packageJsonPath argument in the scanProjectDeps function of augmnt augments-mcp-server 7.1.0. This allows local attackers to traverse the file system, potentially leading to unauthorized access or data exposure. The attack requires local access, and the exploit has been published. Users should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance.
Defensive priority
Low priority, as the attack requires local access.
Recommended defensive actions
- Inventory and verify the version of augmnt augments-mcp-server.
- Apply patches or updates if available.
- Monitor for suspicious local activity.
- Implement compensating controls to restrict file system access.
- Review relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-13. The NVD entry is currently Received. Limited information is available about the vulnerability. The issue affects the scanProjectDeps function in src/tools/v4/scan-project-deps.ts of augmnt augments-mcp-server 7.1.0. The attack can only be executed locally. The project was informed of the problem early through an issue report but has not responded yet. The CVE record and NVD entry provide initial details, but further verification is needed to understand the full scope and impact.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13 and has not been modified since then.