CVE-2026-7149

Name of the Vulnerable Software and Affected Versions dexhunter kaggle-mcp versions prior to 406127ffcb2b91b8c10e20e6c2ca787fbc1dc92d

Description A path traversal issue exists in the prepare kaggle dataset() function within the src/kaggle mcp/server.py file. This flaw allows a remote attacker to perform path traversal by manipulating the competition id argument. Path traversal is a technique that allows an attacker to access files and directories that are stored outside the web root folder by manipulating variables that reference files with dot-dot-slash (../) sequences.

Recommendations Update dexhunter kaggle-mcp to a version later than 406127ffcb2b91b8c10e20e6c2ca787fbc1dc92d. As a temporary workaround, restrict or validate the input provided to the competition id argument in the prepare kaggle dataset() function to prevent the use of path traversal sequences.