<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Eat-Pray-Ai - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/eat-pray-ai/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 14 Jul 2026 19:42:03 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/eat-pray-ai/feed.xml" rel="self" type="application/rss+xml"/><item><title>Arbitrary File Write in Yutu's MCP caption-download Tool (CVE-2026-50158)</title><link>https://feed.craftedsignal.io/briefs/2026-07-yutu-arbitrary-file-write/</link><pubDate>Tue, 14 Jul 2026 19:42:03 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-yutu-arbitrary-file-write/</guid><description>An arbitrary file write vulnerability (CVE-2026-50158) in the `caption-download` MCP tool of the yutu application allows a local attacker, or any process able to reach the unauthenticated HTTP MCP server, to bypass the `YUTU_ROOT` confinement and write arbitrary content to any path writable by the yutu process, leading to potential persistent code execution, privilege escalation, or denial of service.</description><content:encoded><![CDATA[<p>The yutu application, developed by eat-pray-ai, contains a high-severity arbitrary file write vulnerability, tracked as CVE-2026-50158. This flaw resides within the <code>caption-download</code> MCP tool, where the <code>file</code> parameter, provided by the caller, is passed directly to the <code>os.Create()</code> function without proper path validation or confinement to the intended <code>YUTU_ROOT</code> directory. This bypasses the security boundary implemented by Go's <code>os.OpenRoot</code> that other file operations respect. An attacker, either local or via an unauthenticated HTTP MCP server (the default configuration), can exploit this to write arbitrary content to any location on the filesystem accessible to the yutu process. This critical oversight can lead to persistent code execution by overwriting startup scripts or application binaries, privilege escalation if yutu runs with elevated privileges, or denial of service through the corruption of critical system files. The vulnerability affects yutu versions prior to 0.10.9-dev1.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker, either a local process or a remote entity (if the HTTP MCP server is exposed and unauthenticated), crafts a malicious JSON-RPC request.</li>
<li>The attacker sends this request via HTTP POST to the yutu MCP server's <code>/mcp</code> endpoint, typically running on <code>http://localhost:8216</code>.</li>
<li>The JSON request body specifies the <code>&quot;method&quot;:&quot;tools/call&quot;</code> and targets the <code>&quot;name&quot;:&quot;caption-download&quot;</code> tool.</li>
<li>Within the <code>arguments</code> of the <code>caption-download</code> tool, the attacker provides a manipulated <code>file</code> parameter containing an absolute path (e.g., <code>&quot;/etc/passwd&quot;</code>, <code>&quot;/tmp/evil_script.sh&quot;</code>) that points outside the intended <code>YUTU_ROOT</code> confinement.</li>
<li>The yutu MCP server processes the request, and the <code>cobramcp.GenToolHandler</code> binds the attacker's input to the <code>caption.Download()</code> function.</li>
<li>Inside <code>caption.Download()</code>, the vulnerable code at <code>pkg/caption/caption.go:272</code> uses <code>os.Create(c.File)</code> directly, passing the unvalidated, attacker-controlled file path. This call bypasses the <code>pkg.Root</code> boundary, which would normally restrict file operations.</li>
<li>Subsequently, the downloaded caption bytes (which can be attacker-controlled or from a legitimate source) are written to the specified arbitrary file path, resulting in an arbitrary file write.</li>
<li>This arbitrary file write can be leveraged to achieve various impacts, such as overwriting critical system files for persistence or privilege escalation, or corrupting data for denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This arbitrary file write vulnerability (CVE-2026-50158) carries significant impact. Any entity capable of invoking the <code>caption-download</code> MCP tool, including an unauthenticated local process when the HTTP MCP server operates under default settings (<code>--auth false</code>), can write attacker-controlled data to any file path accessible by the yutu process. This directly bypasses the <code>YUTU_ROOT</code> confinement, which is designed to secure file operations. Potential consequences include overwriting application binaries, system configuration files, or shell startup scripts, which can lead to persistent code execution or privilege escalation. Corrupting log files or database files could result in a denial of service for the yutu application or other system components. Furthermore, in deployments where yutu runs alongside a web server, attackers might write web-accessible files to achieve further exploitation. The vulnerability could also be exploited through prompt injection if an AI agent pipeline exposes <code>caption-download</code> to untrusted input.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-50158 immediately by upgrading yutu to version 0.10.9-dev1 or later, which incorporates the fix outlined in the GHSA advisory.</li>
<li>Ensure the yutu MCP server is configured with authentication enabled if remote access is required, preventing unauthenticated access to the <code>caption-download</code> tool.</li>
<li>Restrict network access to the yutu MCP server (<code>http://localhost:8216</code>) to only trusted internal processes or local applications, minimizing the attack surface for remote exploitation.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>arbitrary-file-write</category><category>cve</category><category>golang</category><category>local-privilege-escalation</category><category>persistence</category></item></channel></rss>