CVE-2026-49988 is a medium-severity security vulnerability in repomix (npm), affecting versions <= 1.14.0. It is fixed in 1.14.1.
attachpackedoutput can register arbitrary .json/.txt/.md/.xml files and bypass the MCP file-read safety check Summary Repomix's MCP server exposes a normal filesystemreadfile tool that reads absolute paths only after running the project's secret check. However, the attachpackedoutput plus readrepomixoutput flow can read arbitrary local .json, .txt, .md, or .xml files without the same safety check and without verifying that the file is actually a Repomix packed output. This is a medium-severity local MCP file-read boundary issue. The affected deployment is the documented repomix --mcp stdio server used by AI assistants. A prompt or lower-trust model action that can invoke MCP tools can use attachpackedoutput on a local JSON/text file, receive an outputId, then call readrepomixoutput to retrieve the full file content. Affected target Repository: yamadashy/repomix Commit reviewed: adf5a12f2211a7fabf24ee11a21734adccee5143 Component: MCP server tools Package version reviewed: [email protected] Root cause The file-read safety boundary is implemented per tool rather than per local-file capability. filesystemreadfile reads the file and runs runSecretLint() before returning content. attachpackedoutput reads and registers local files through a separate path, but only checks file extension and parsing format. It does not verify a Repomix output header/schema and does not run the secret check before registering the path. Vulnerability chain attachpackedoutput accepts a direct file path, not only a directory. resolveOutputFilePath() allows any file whose extension matches .xml, .md, .txt, or .json. The tool reads that file with fs.readFile(outputFilePath, 'utf8'). It extracts metrics, but malformed or non-Repomix JSON simply produces empty metrics rather than rejection. formatPackToolResponse() registers the original file path under a generated outputId. readrepomixoutput resolves the outputId and returns the full file content. Auth boundary violated The respected boundary is the explicit local file-read guard: filesystemreadfile blocks files that fail the secret scan. The ignored boundary is the alternate packed-output path. A caller can register a supported-extension file as an output and read it through readrepomixoutput without passing through runSecretLint() or a packed-output validation step. Source trace src/mcp/tools/fileSystemReadFileTool.ts:72-83: direct file reads run runSecretLint() and return an error if the scan finds sensitive content. src/mcp/tools/attachPackedOutputTool.ts:76-87: direct file input is accepted based only on extension. src/mcp/tools/attachPackedOutputTool.ts:111-120: .json, .txt, .md, and .xml are supported formats. src/mcp/tools/attachPackedOutputTool.ts:228-240: JSON parse errors return empty metrics rather than rejecting the file as non-Repomix output. src/mcp/tools/attachPackedOutputTool.ts:272-308: the file is read and passed to formatPackToolResponse() without a secret check. src/mcp/tools/mcpToolRuntime.ts:77-82: formatPackToolResponse() registers the provided outputFilePath and reads it. src/mcp/tools/readRepomixOutputTool.ts:56-74: readrepomixoutput reads the registered file path and returns its content. README.md:984-991: the tool is documented as providing secure access to existing packed outputs. Reproduction run.sh: The harness creates a temporary credentials.json containing a sentinel value, follows the attachpackedoutput path for supported-extension files, registers the file path under an output ID, and then reads it back through the readrepomixoutput path. It also checks the source-code contrast between the guarded direct file-read tool and the unguarded attach path. Observed transcript: Impact In the MCP threat model, an assistant/tool caller can read local JSON/text/Markdown/XML files through a path that bypasses the file-read tool's secret scanning. Examples include project configuration JSON, exported tokens, local tool settings, or other plaintext files with supported extensions. This does not require shell execution or writing files. It requires MCP tool-call capability against a Repomix server running with local filesystem access. Suggested fix Apply the same safety boundary to all local-file read paths: Require attachpackedoutput to validate that the target file is a genuine Repomix output before registration. Reject malformed/non-Repomix JSON/XML/Markdown/plain files instead of registering them with empty metrics. Run the same secret check used by filesystemreadfile before registering or returning content. Consider storing a content snapshot in the registry rather than registering arbitrary local paths for later reads.
npm
repomix (<= 1.14.0)repomix → 1.14.1 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-49988 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-49988 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-49988 in your environment →Upgrade repomix to 1.14.1 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-49988 is a medium-severity security vulnerability in repomix (npm), affecting versions <= 1.14.0. It is fixed in 1.14.1.
repomix (npm) versions <= 1.14.0 is affected.
Yes. CVE-2026-49988 is fixed in 1.14.1. Upgrade to this version or later.
Whether CVE-2026-49988 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade repomix to 1.14.1 or later.