CVE-2026-33989 is a path traversal vulnerability identified in the mobile-next mobile-mcp server, a platform used for mobile development and automation. The vulnerability exists in versions prior to 0.0.49 within two tools: mobile_save_screenshot and mobile_start_screen_recording. These tools accept parameters named 'saveTo' and 'output' respectively, which are used directly in filesystem operations without proper validation or sanitization. This lack of validation allows an attacker to craft malicious input containing directory traversal sequences (e.g., '../') to escape the intended workspace directory and write files arbitrarily anywhere on the server's filesystem. Such unauthorized file writes can lead to overwriting critical files, planting malicious payloads, or disrupting normal operations. The vulnerability does not require authentication (PR:N) but does require user interaction (UI:R), likely meaning the attacker must trigger the vulnerable functionality via the application interface. The CVSS 3.1 base score is 8.1 (high), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, but high integrity and availability impacts. The issue was publicly disclosed on March 27, 2026, and fixed in version 0.0.49 of mobile-mcp. No known exploits in the wild have been reported yet. The vulnerability is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path).

The primary impact of this vulnerability is on the integrity and availability of affected systems. By exploiting the path traversal flaw, attackers can write arbitrary files outside the intended workspace, potentially overwriting critical system or application files, injecting malicious scripts, or placing ransomware or backdoors. This can disrupt mobile development and automation workflows, cause denial of service, or facilitate further compromise. Since the vulnerability does not affect confidentiality directly, sensitive data leakage is less likely, but the integrity and availability impacts can be severe. Organizations relying on mobile-next mobile-mcp servers for mobile automation are at risk of operational disruption and potential lateral movement if attackers use this vector to establish persistence. The ease of exploitation (no privileges required, low complexity) combined with the high impact on integrity and availability makes this a significant threat to organizations using vulnerable versions.

1. Immediate upgrade to mobile-next mobile-mcp version 0.0.49 or later, where the vulnerability is fixed. 2. Implement strict input validation and sanitization on all filesystem-related parameters, especially 'saveTo' and 'output', to disallow directory traversal sequences and restrict file writes to authorized directories only. 3. Employ filesystem access controls and sandboxing to limit the directories and files the mobile-mcp server process can write to, using OS-level permissions or containerization. 4. Monitor logs and file system changes for suspicious activity indicative of path traversal exploitation attempts. 5. Restrict network access to the mobile-mcp server to trusted users and networks to reduce exposure. 6. Conduct security code reviews and penetration testing focused on file handling functions to detect similar vulnerabilities. 7. Educate developers and administrators about the risks of improper path validation and secure coding practices.