PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10264 lharries CVE debrief

A path traversal vulnerability exists in the SendMessageRequest function within whatsapp-bridge/main.go of the whatsapp-mcp project, affecting version 0.0.1. The vulnerability is triggered through manipulation of the mediaPath argument to the Send API Endpoint, allowing an attacker to traverse the file system. The issue has been publicly disclosed and a patch is available. The CVSS 4.0 vector indicates an attack vector of adjacent network, low attack complexity, low privileges required, and no user interaction, with low confidentiality impact and no integrity or availability impact. The exploitability metric is marked as proof-of-concept.

Vendor
lharries
Product
whatsapp-mcp
CVSS
LOW 2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations running whatsapp-mcp version 0.0.1 as an MCP (Model Context Protocol) bridge for WhatsApp integration, particularly those exposing the Send API Endpoint to network-adjacent users or untrusted clients.

Technical summary

The SendMessageRequest function in whatsapp-bridge/main.go fails to properly validate the mediaPath argument, enabling directory traversal attacks. An attacker with low privileges on an adjacent network can manipulate this parameter to access files outside the intended directory. The vulnerability is classified as CWE-22 with a LOW severity CVSS score of 2.0. A patch commit is available that should be applied to eliminate the traversal vector.

Defensive priority

low

Recommended defensive actions

  • Apply patch 6657cdceadd361e8fbe824afe9d00b4504009a5d to remediate the path traversal vulnerability in the SendMessageRequest function
  • Validate and sanitize the mediaPath input parameter to restrict file access to intended directories
  • Implement path canonicalization and reject paths containing directory traversal sequences such as '..'
  • Review file access controls on systems hosting the whatsapp-mcp bridge to limit exposure
  • Monitor for anomalous file access patterns in whatsapp-bridge/main.go logs

Evidence notes

The vulnerability was reported through VulDB and is tracked as submit ID 824924 and vuln ID 367544. The issue was assigned CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The patch commit 6657cdceadd361e8fbe824afe9d00b4504009a5d was published to a fork by BenGedi, with a pull request also referenced. The original repository is maintained by lharries. The CVE was published on 2026-06-01 and remains in 'Received' status in the NVD.

Official resources

public