AI Threat Alert
CVE-2026-43901: wireshark-mcp: path traversal enables arbitrary file write via MCP
GHSA-3r68-x3xc-rxpg MEDIUM CISA: ATTENDCVE-2026-43901 is a path traversal flaw in wireshark-mcp (≤1.1.5) where the MCP tool `wireshark_export_objects` accepts an unvalidated destination directory and passes it directly to tshark, allowing writes to any filesystem path the process can access. What elevates this beyond a standard path traversal is the attack chain: an adversary embeds a prompt injection payload inside a crafted pcap file's HTTP response, which manipulates an AI model into calling the vulnerable tool with an attacker-controlled destination — no direct access to the host required. With no patch available, six additional file-write operations sharing the same missing sandbox, and the ability to write SSH keys, cron jobs, or web shells in a single interaction, teams running AI agents that process untrusted network captures face a realistic host-compromise path. Immediate workaround: set `WIRESHARK_MCP_ALLOWED_DIRS` to a restricted directory before starting the server, and run wireshark-mcp in a containerized environment with minimal filesystem permissions.
What is the risk?
The CVSS 6.8 Medium score materially understates operational risk in AI agent deployments. In autonomous or semi-autonomous workflows where an analyst submits pcap files for AI-assisted analysis, the user-interaction requirement effectively collapses — the AI model becomes the unwitting actor. High Confidentiality and Integrity impact (C:H/I:H) is accurate, but the chained nature of the attack (indirect prompt injection → MCP tool invocation → path traversal → host persistence) represents a novel, high-consequence attack class. The absence of a patch and the broad surface area — six affected file-write operations — make this an elevated-priority item for any team deploying AI-assisted network forensics tooling.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| wireshark-mcp | pip | <= 1.1.5 | No patch |
Do you use wireshark-mcp? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Immediate workaround: set
export WIRESHARK_MCP_ALLOWED_DIRS=/tmp/wireshark_mcp_safebefore starting the server — this activates the existing sandbox and blocks writes outside the allowed path. -
Run wireshark-mcp in a containerized or sandboxed environment with a read-only filesystem mount except for explicitly allowed output directories.
-
Apply principle of least privilege to the OS user running wireshark-mcp — restrict write access to home directories, cron paths, and web roots.
-
Monitor for unexpected file writes from the tshark process to sensitive paths (
~/.ssh/,/etc/cron.d/, web document roots). -
Until a patch is available, treat all pcap files from untrusted sources as potentially weaponized inputs; validate provenance before submitting to AI-assisted analysis pipelines.
-
Audit all MCP tool configurations in your environment for missing path sandboxing on any tool accepting file destination parameters.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-43901?
CVE-2026-43901 is a path traversal flaw in wireshark-mcp (≤1.1.5) where the MCP tool `wireshark_export_objects` accepts an unvalidated destination directory and passes it directly to tshark, allowing writes to any filesystem path the process can access. What elevates this beyond a standard path traversal is the attack chain: an adversary embeds a prompt injection payload inside a crafted pcap file's HTTP response, which manipulates an AI model into calling the vulnerable tool with an attacker-controlled destination — no direct access to the host required. With no patch available, six additional file-write operations sharing the same missing sandbox, and the ability to write SSH keys, cron jobs, or web shells in a single interaction, teams running AI agents that process untrusted network captures face a realistic host-compromise path. Immediate workaround: set `WIRESHARK_MCP_ALLOWED_DIRS` to a restricted directory before starting the server, and run wireshark-mcp in a containerized environment with minimal filesystem permissions.
Is CVE-2026-43901 actively exploited?
No confirmed active exploitation of CVE-2026-43901 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-43901?
1. Immediate workaround: set `export WIRESHARK_MCP_ALLOWED_DIRS=/tmp/wireshark_mcp_safe` before starting the server — this activates the existing sandbox and blocks writes outside the allowed path. 2. Run wireshark-mcp in a containerized or sandboxed environment with a read-only filesystem mount except for explicitly allowed output directories. 3. Apply principle of least privilege to the OS user running wireshark-mcp — restrict write access to home directories, cron paths, and web roots. 4. Monitor for unexpected file writes from the tshark process to sensitive paths (`~/.ssh/`, `/etc/cron.d/`, web document roots). 5. Until a patch is available, treat all pcap files from untrusted sources as potentially weaponized inputs; validate provenance before submitting to AI-assisted analysis pipelines. 6. Audit all MCP tool configurations in your environment for missing path sandboxing on any tool accepting file destination parameters.
What systems are affected by CVE-2026-43901?
This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks using MCP, Network security AI assistants, Automated SOC and forensics pipelines, LLM-integrated security tooling.
What is the CVSS score for CVE-2026-43901?
CVE-2026-43901 has a CVSS v3.1 base score of 6.8 (MEDIUM). The EPSS exploitation probability is 0.28%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.005 AI Agent Tool AML.T0049 Exploit Public-Facing Application AML.T0051.001 Indirect AML.T0053 AI Agent Tool Invocation AML.T0086 Exfiltration via AI Agent Tool Invocation Compliance Controls Affected
What are the technical details?
Original Advisory
## Description ### Impact `wireshark-mcp` exposes a `wireshark_export_objects` MCP tool that accepts an attacker-controlled `dest_dir` parameter and passes it to tshark's `--export-objects` flag with **no mandatory path restriction**. The path sandbox (`_allowed_dirs`) is `None` by default and only activates when the environment variable `WIRESHARK_MCP_ALLOWED_DIRS` is explicitly set. In a default installation, any directory on the filesystem can be used as the export destination. **Affected code** (`src/wireshark_mcp/tshark/client.py:531-543`): ```python output_validation = self._validate_output_path(dest_dir) # _validate_output_path only enforces the sandbox when _allowed_dirs is set. # Default: _allowed_dirs = None → no restriction. os.makedirs(dest_dir, exist_ok=True) # creates arbitrary directories cmd = [..., "--export-objects", f"{protocol},{dest_dir}"] ``` ### Attack Scenario An attacker embeds a crafted HTTP response in a pcap file (e.g. `Content-Disposition: filename=authorized_keys`). Via prompt injection in the pcap payload, an AI model using this MCP server is manipulated into calling `wireshark_export_objects` with: ```bash dest_dir=/home/user/.ssh/ ``` `tshark` then extracts and writes the HTTP object to that path, granting the attacker SSH access. The same technique can target: - `/etc/cron.d/` - Writable web roots - Other sensitive filesystem locations ### Additional Affected Operations The same missing sandbox affects: - `merge_pcap_files` - `editcap_trim` - `editcap_split` - `editcap_time_shift` - `editcap_deduplicate` - `text2pcap_import` ### Proof of Concept Confirmed on **wireshark-mcp v1.1.5** with **tshark 4.6.4**. A crafted pcap’s HTTP object was successfully written to an arbitrary filesystem path when: ```python _allowed_dirs = None ``` --- ## Patches Not yet patched. A fix should make the path sandbox **mandatory** for all file-write operations rather than optional: ```python # Reject all write operations when no sandbox is configured if not self._allowed_dirs: return json.dumps({ "success": False, "error": { "type": "SecurityError", "message": "Set WIRESHARK_MCP_ALLOWED_DIRS before using file-write operations" } }) ``` --- ## Workarounds Set `WIRESHARK_MCP_ALLOWED_DIRS` to a restricted safe directory before starting the server: ```bash export WIRESHARK_MCP_ALLOWED_DIRS=/tmp/wireshark_mcp_safe ``` This activates the existing sandbox and blocks writes outside the allowed path. --- ## Resources - Vulnerable code: - `src/wireshark_mcp/tshark/client.py` lines 521–543 - `src/wireshark_mcp/tshark/client.py` lines 685–839 - CWE-22: Improper Limitation of a Pathname to a Restricted Directory - CWE-73: External Control of File Name or Path
Exploitation Scenario
An adversary targeting a security team's AI-assisted network forensics workflow crafts a pcap file containing a malicious HTTP response with `Content-Disposition: filename=authorized_keys` and an embedded prompt injection payload in the HTTP body instructing the AI model to call `wireshark_export_objects` with `dest_dir=/home/analyst/.ssh/`. When the analyst submits the pcap for AI-assisted traffic analysis, the AI model — acting on the injected instruction — invokes the MCP tool with the controlled path. tshark extracts the HTTP object and writes the adversary's SSH public key to the analyst's `authorized_keys` file. The adversary then connects via SSH with persistent, authenticated access, with no indication to the analyst that anything beyond routine traffic analysis occurred.
Weaknesses (CWE)
CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Supply Chain CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Supply Chain CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Supply Chain CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Supply Chain CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same attack type: Code Execution