CVE-2026-15528 in kicad-mcp
Summary
by MITRE • 07/13/2026
A vulnerability was found in lamaalrajih kicad-mcp up to 3.3.1. This issue affects some unknown processing of the file kicad_mcp/utils/path_validator.py. Performing a manipulation of the argument project_path/schematic_path results in protection mechanism failure. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/13/2026
This vulnerability resides within the kicad-mcp project version 3.3.1 and earlier, specifically targeting the file path_validator.py which handles validation of project and schematic paths. The flaw manifests when manipulating the project_path or schematic_path arguments during the processing phase, leading to a failure in the protection mechanisms that are supposed to validate these inputs. This represents a classic input validation vulnerability where insufficient sanitization allows maliciously crafted paths to bypass security checks.
The technical implementation involves improper handling of file path parameters within the KiCad MCP utility framework, which is designed for managing KiCad project configurations and schematic files. When an attacker supplies manipulated path arguments, the validation logic fails to properly sanitize or check these inputs, potentially allowing directory traversal attacks or arbitrary file access. This vulnerability specifically impacts the protection mechanisms that should validate all user-supplied paths before they are processed by the system.
The operational impact of this vulnerability is significant for local attackers who have access to the system where kicad-mcp is installed. Since local exploitation is required, attackers with system-level access can leverage this weakness to potentially bypass file access controls or execute unauthorized operations within the KiCad project environment. The fact that an exploit has been made public increases the risk profile substantially as it provides readily available attack vectors for malicious actors. The vulnerability affects the integrity of the path validation system and could potentially allow attackers to access files outside of intended directories.
The security implications align with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path) categories, which address path traversal and file path manipulation vulnerabilities. From an ATT&CK framework perspective, this maps to T1059 (Command and Scripting Interpreter) and T1078 (Valid Accounts) as attackers might use this vulnerability to gain unauthorized access to system resources through local account exploitation. The lack of response from the project maintainers after early reporting indicates a potential delay in patch development or security response that leaves users exposed.
Mitigation strategies should include immediate implementation of input sanitization for all path parameters, implementing strict path validation checks that prevent directory traversal attempts, and applying the latest available patches if they become available. Organizations should also consider restricting local system access to only authorized personnel and implementing additional monitoring for unusual file access patterns. The vulnerability underscores the importance of proper input validation in security-critical applications and highlights the need for proactive security measures in open source projects.