Overview
The Zen MCP server's is_dangerous_path() function uses exact string matching against a blacklist of sensitive paths, allowing trivial bypass via subdirectory traversal (e.g., /etc/shadow/../../../home/user/.ssh/). Enables reading arbitrary files including SSH keys and API credentials. CVSS 6.5-9.8.
Who Is Affected
Reported by SentinelOne. Affects users of the Zen MCP server who rely on its path protection to prevent access to sensitive files.
Where It Exists
The vulnerability is in the is_dangerous_path() function within the Zen MCP server. This function checks file paths against an exact-match blacklist (e.g., /etc/shadow, ~/.ssh/id_rsa) but does not canonicalize paths before comparison.
When It Was Found
Disclosed in January 2026. Fixed in Zen MCP server v9.8.2.
How It Works
An attacker (or prompt injection payload) provides file paths that resolve to sensitive locations but don't match the blacklist entries exactly. Techniques include: using relative paths (../), symbolic links, redundant slashes, path components that resolve to the same location. For example, requesting /home/user/.ssh/../.ssh/id_rsa or /etc/./shadow bypasses exact-match checks while still accessing the protected files.
Impact
Read access to any file on the system accessible to the MCP server process. Attackers can steal SSH private keys, API credentials from config files, environment variables, source code, and database credentials. The CVSS range (6.5-9.8) reflects varying impact depending on what sensitive files are accessible.
Mitigation
Update to Zen MCP server v9.8.2 or later. Implement path canonicalization (resolve symlinks, normalize . and ..) before any security checks. Use an allowlist approach instead of a blacklist. Restrict the MCP server process's filesystem access using OS-level controls (chroot, filesystem namespaces).