CVE-2026-49988 in repomixinfo

Summary

by MITRE • 07/15/2026

Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, the Repomix MCP server attach_packed_output and read_repomix_output flow can register and read arbitrary local .json, .txt, .md, or .xml files without the file_system_read_file runSecretLint() safety check or Repomix packed-output validation, allowing MCP callers to bypass the local file-read secret-scanning boundary. This issue is fixed in version 1.14.1.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability in Repomix affects the MCP server functionality where specific flows permit unauthorized access to local files through improper input validation and missing security checks. The attach_packed_output and read_repomix_output operations create a pathway for malicious actors to read arbitrary files from the local filesystem without proper authorization or sanitization. This flaw exists within the server-side processing logic that handles file operations, specifically in how it manages user-provided file paths and content validation.

The technical implementation of this vulnerability stems from the absence of critical security controls during file system operations. When callers invoke these MCP functions, the system fails to perform proper file system read checks or validation of packed output files before processing them. This missing safety mechanism allows attackers to specify any local file path ending in .json, .txt, .md, or .xml extensions and gain unauthorized access to sensitive information stored on the server. The vulnerability represents a classic case of insufficient input validation and inadequate access controls.

The operational impact of this vulnerability is significant as it enables remote code execution or data exfiltration capabilities through simple API calls. Attackers can leverage this flaw to read configuration files, source code repositories, documentation, or other sensitive artifacts stored locally on the server. The bypass of secret-scanning boundaries means that even files containing credentials, API keys, or other security-sensitive information could be accessed without detection. This creates a persistent threat vector that could compromise entire development environments and expose confidential data.

Security researchers should note this vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path), both of which address improper file system access control. The flaw also maps to ATT&CK technique T1566 (Phishing) and T1078 (Valid Accounts) as it could enable attackers to gain access to systems through compromised credentials or by reading sensitive files containing authentication information. The vulnerability demonstrates poor separation of concerns in the MCP server implementation where file operations lack proper sandboxing or validation mechanisms.

The fix implemented in Repomix version 1.14.1 addresses this issue by introducing mandatory runSecretLint() safety checks and Repomix packed-output validation before any local file reading operations occur. These security measures ensure that all file system access attempts undergo proper validation and sanitization processes, preventing unauthorized access to local files through the MCP interface. Organizations using Repomix should immediately upgrade to version 1.14.1 or later to mitigate this risk. System administrators should also implement monitoring for unusual file access patterns and consider additional network segmentation measures to limit potential impact from such vulnerabilities.

Responsible

GitHub M

Reservation

06/02/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!