CVE-2026-53766: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in ChromeDevTools chrome-devtools-mcp
A path traversal vulnerability exists in Chrome DevTools for agents (chrome-devtools-mcp) versions from 0.24.0 up to but not including 1.1.0. The vulnerability arises because the path validation function does not canonicalize symbolic links, allowing symlinks inside a configured workspace root to point outside that root and bypass validation. This can lead to unauthorized file read and write operations outside the intended workspace boundaries. The issue is fixed in version 1.1.0.
AI Analysis
Technical Summary
The vulnerability in chrome-devtools-mcp involves improper limitation of a pathname to a restricted directory (CWE-22) due to the use of path.resolve() which does not canonicalize symbolic links. The function McpContext.validatePath() checks if a file path is under configured workspace roots by textual comparison after path.resolve(), but symlinks inside the root can point outside, bypassing this check. This allows an attacker to read files outside the workspace via upload_file or overwrite files outside the workspace through filePath-writing tools. This bypass occurs even when the MCP client declares roots capability correctly. The vulnerability affects versions from 0.24.0 until fixed in 1.1.0.
Potential Impact
The vulnerability allows an attacker with limited privileges (local access) to bypass workspace boundary restrictions, enabling unauthorized read and write access to files outside the designated workspace roots. This can lead to integrity violations by overwriting files and potential information disclosure by reading arbitrary files. The CVSS score of 6.1 reflects a medium severity with low attack complexity and no user interaction required, but limited to local access with privileges.
Mitigation Recommendations
This vulnerability is fixed in chrome-devtools-mcp version 1.1.0. Users should upgrade to version 1.1.0 or later to remediate this issue. No other official remediation or temporary fixes are documented. Until upgrading, avoid using symlinks inside workspace roots that point outside the root to prevent bypass.
CVE-2026-53766: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in ChromeDevTools chrome-devtools-mcp
Description
A path traversal vulnerability exists in Chrome DevTools for agents (chrome-devtools-mcp) versions from 0.24.0 up to but not including 1.1.0. The vulnerability arises because the path validation function does not canonicalize symbolic links, allowing symlinks inside a configured workspace root to point outside that root and bypass validation. This can lead to unauthorized file read and write operations outside the intended workspace boundaries. The issue is fixed in version 1.1.0.
CVSS v3.1
Score 6.1medium
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in chrome-devtools-mcp involves improper limitation of a pathname to a restricted directory (CWE-22) due to the use of path.resolve() which does not canonicalize symbolic links. The function McpContext.validatePath() checks if a file path is under configured workspace roots by textual comparison after path.resolve(), but symlinks inside the root can point outside, bypassing this check. This allows an attacker to read files outside the workspace via upload_file or overwrite files outside the workspace through filePath-writing tools. This bypass occurs even when the MCP client declares roots capability correctly. The vulnerability affects versions from 0.24.0 until fixed in 1.1.0.
Potential Impact
The vulnerability allows an attacker with limited privileges (local access) to bypass workspace boundary restrictions, enabling unauthorized read and write access to files outside the designated workspace roots. This can lead to integrity violations by overwriting files and potential information disclosure by reading arbitrary files. The CVSS score of 6.1 reflects a medium severity with low attack complexity and no user interaction required, but limited to local access with privileges.
Mitigation Recommendations
This vulnerability is fixed in chrome-devtools-mcp version 1.1.0. Users should upgrade to version 1.1.0 or later to remediate this issue. No other official remediation or temporary fixes are documented. Until upgrading, avoid using symlinks inside workspace roots that point outside the root to prevent bypass.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-10T17:48:40.547Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3c501d4853345fc1e45bcb
Added to database: 06/24/2026, 21:46:05 UTC
Last enriched: 06/24/2026, 22:02:54 UTC
Last updated: 06/24/2026, 22:20:54 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.