EUVD-2026-33721
GHSA-37j4-5858-49mq
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability was found in j3k0 mcp-google-workspace up to 831790e7d5c2663325733d9f5579cc339a267c4c. This issue affects the function saveToDisk of the file src/tools/gmail.ts of the component MCP Gmail Tool. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 89c091ecf8b9f9c7291d1af0b1966e271f86551c. It is suggested to install a patch to address this issue.
AnalysisAI
Path traversal via improper access control in mcp-google-workspace's MCP Gmail Tool (all pre-patch commits through 831790e) allows an authenticated low-privileged MCP client to write files to arbitrary filesystem locations by supplying crafted relative paths containing directory traversal sequences to the saveToDisk function. Publicly available exploit code exists (GitHub issue #19), though the attack requires an active MCP session (CVSS PR:L). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The MCP server must be running and the attacker must hold a low-privilege authenticated MCP session (CVSS PR:L), meaning they are either a legitimate user of the mcp-google-workspace server or a prompt-injection payload executing within an active AI session that has the server configured. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 2.1 (Low) reflects the combined constraints of low privileges required (PR:L) and limited impact across confidentiality, integrity, and availability (VC:L/VI:L/VA:L on the vulnerable system, with no subsequent-system impact SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged authenticated MCP session - or a malicious prompt injected via a crafted email body processed by the AI assistant - invokes gmail_get_attachment with a save path argument of '../../.ssh/authorized_keys' or a similar traversal sequence. The unvalidated saveToDisk function resolves this path relative to the server's working directory and writes the attachment's content (controllable by whoever crafted the email) to the targeted file outside the intended attachments directory. … |
| Remediation | Apply the upstream fix by updating mcp-google-workspace to a version at or after commit 89c091ecf8b9f9c7291d1af0b1966e271f86551c (https://github.com/j3k0/mcp-google-workspace/commit/89c091ecf8b9f9c7291d1af0b1966e271f86551c, PR #22); since no tagged release is available, operators should pull the latest main branch commit and verify the gmail-helpers.ts resolveAttachmentPath function is present. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today