{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/yutu--0.10.9-dev1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["yutu (\u003c 0.10.9-dev1)"],"_cs_severities":["high"],"_cs_tags":["arbitrary-file-write","cve","golang","local-privilege-escalation","persistence"],"_cs_type":"advisory","_cs_vendors":["eat-pray-ai"],"content_html":"\u003cp\u003eThe yutu application, developed by eat-pray-ai, contains a high-severity arbitrary file write vulnerability, tracked as CVE-2026-50158. This flaw resides within the \u003ccode\u003ecaption-download\u003c/code\u003e MCP tool, where the \u003ccode\u003efile\u003c/code\u003e parameter, provided by the caller, is passed directly to the \u003ccode\u003eos.Create()\u003c/code\u003e function without proper path validation or confinement to the intended \u003ccode\u003eYUTU_ROOT\u003c/code\u003e directory. This bypasses the security boundary implemented by Go's \u003ccode\u003eos.OpenRoot\u003c/code\u003e that other file operations respect. An attacker, either local or via an unauthenticated HTTP MCP server (the default configuration), can exploit this to write arbitrary content to any location on the filesystem accessible to the yutu process. This critical oversight can lead to persistent code execution by overwriting startup scripts or application binaries, privilege escalation if yutu runs with elevated privileges, or denial of service through the corruption of critical system files. The vulnerability affects yutu versions prior to 0.10.9-dev1.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker, either a local process or a remote entity (if the HTTP MCP server is exposed and unauthenticated), crafts a malicious JSON-RPC request.\u003c/li\u003e\n\u003cli\u003eThe attacker sends this request via HTTP POST to the yutu MCP server's \u003ccode\u003e/mcp\u003c/code\u003e endpoint, typically running on \u003ccode\u003ehttp://localhost:8216\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe JSON request body specifies the \u003ccode\u003e\u0026quot;method\u0026quot;:\u0026quot;tools/call\u0026quot;\u003c/code\u003e and targets the \u003ccode\u003e\u0026quot;name\u0026quot;:\u0026quot;caption-download\u0026quot;\u003c/code\u003e tool.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003earguments\u003c/code\u003e of the \u003ccode\u003ecaption-download\u003c/code\u003e tool, the attacker provides a manipulated \u003ccode\u003efile\u003c/code\u003e parameter containing an absolute path (e.g., \u003ccode\u003e\u0026quot;/etc/passwd\u0026quot;\u003c/code\u003e, \u003ccode\u003e\u0026quot;/tmp/evil_script.sh\u0026quot;\u003c/code\u003e) that points outside the intended \u003ccode\u003eYUTU_ROOT\u003c/code\u003e confinement.\u003c/li\u003e\n\u003cli\u003eThe yutu MCP server processes the request, and the \u003ccode\u003ecobramcp.GenToolHandler\u003c/code\u003e binds the attacker's input to the \u003ccode\u003ecaption.Download()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eInside \u003ccode\u003ecaption.Download()\u003c/code\u003e, the vulnerable code at \u003ccode\u003epkg/caption/caption.go:272\u003c/code\u003e uses \u003ccode\u003eos.Create(c.File)\u003c/code\u003e directly, passing the unvalidated, attacker-controlled file path. This call bypasses the \u003ccode\u003epkg.Root\u003c/code\u003e boundary, which would normally restrict file operations.\u003c/li\u003e\n\u003cli\u003eSubsequently, the downloaded caption bytes (which can be attacker-controlled or from a legitimate source) are written to the specified arbitrary file path, resulting in an arbitrary file write.\u003c/li\u003e\n\u003cli\u003eThis arbitrary file write can be leveraged to achieve various impacts, such as overwriting critical system files for persistence or privilege escalation, or corrupting data for denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis arbitrary file write vulnerability (CVE-2026-50158) carries significant impact. Any entity capable of invoking the \u003ccode\u003ecaption-download\u003c/code\u003e MCP tool, including an unauthenticated local process when the HTTP MCP server operates under default settings (\u003ccode\u003e--auth false\u003c/code\u003e), can write attacker-controlled data to any file path accessible by the yutu process. This directly bypasses the \u003ccode\u003eYUTU_ROOT\u003c/code\u003e confinement, which is designed to secure file operations. Potential consequences include overwriting application binaries, system configuration files, or shell startup scripts, which can lead to persistent code execution or privilege escalation. Corrupting log files or database files could result in a denial of service for the yutu application or other system components. Furthermore, in deployments where yutu runs alongside a web server, attackers might write web-accessible files to achieve further exploitation. The vulnerability could also be exploited through prompt injection if an AI agent pipeline exposes \u003ccode\u003ecaption-download\u003c/code\u003e to untrusted input.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-50158 immediately by upgrading yutu to version 0.10.9-dev1 or later, which incorporates the fix outlined in the GHSA advisory.\u003c/li\u003e\n\u003cli\u003eEnsure the yutu MCP server is configured with authentication enabled if remote access is required, preventing unauthenticated access to the \u003ccode\u003ecaption-download\u003c/code\u003e tool.\u003c/li\u003e\n\u003cli\u003eRestrict network access to the yutu MCP server (\u003ccode\u003ehttp://localhost:8216\u003c/code\u003e) to only trusted internal processes or local applications, minimizing the attack surface for remote exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-14T19:42:03Z","date_published":"2026-07-14T19:42:03Z","id":"https://feed.craftedsignal.io/briefs/2026-07-yutu-arbitrary-file-write/","summary":"An arbitrary file write vulnerability (CVE-2026-50158) in the `caption-download` MCP tool of the yutu application allows a local attacker, or any process able to reach the unauthenticated HTTP MCP server, to bypass the `YUTU_ROOT` confinement and write arbitrary content to any path writable by the yutu process, leading to potential persistent code execution, privilege escalation, or denial of service.","title":"Arbitrary File Write in Yutu's MCP caption-download Tool (CVE-2026-50158)","url":"https://feed.craftedsignal.io/briefs/2026-07-yutu-arbitrary-file-write/"}],"language":"en","title":"CraftedSignal Threat Feed - Yutu (\u003c 0.10.9-Dev1)","version":"https://jsonfeed.org/version/1.1"}