Skip to main content

mcp-gitlab CVE-2026-61462

CRITICAL
External Control of File Name or Path (CWE-73)
2026-07-13 VulnCheck
9.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.6 HIGH

Network-reachable, low-complexity parameter injection with no enforced auth (PR:N per vendor); scope change (S:C) because the operator PAT reaches a different security authority, yielding high confidentiality but no integrity/availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 13, 2026 - 19:27 vuln.today
Analysis Generated
Jul 13, 2026 - 19:27 vuln.today
CVE Published
Jul 13, 2026 - 17:17 cve.org
CRITICAL 9.2

DescriptionCVE.org

mcp-gitlab contains a path traversal vulnerability in the job_id parameter of build/index.js that allows attackers to redirect GitLab API requests to arbitrary endpoints. Attackers can supply crafted job_id values like ../../../user to escape the intended path prefix and access arbitrary GitLab API resources using the operator's personal access token.

AnalysisAI

GitLab API request redirection in zereight's mcp-gitlab (gitlab-mcp) MCP server lets attackers who control the job_id parameter escape the intended /jobs/ path prefix and reach arbitrary GitLab REST API endpoints under the operator's personal access token. Because the token is a bearer of the operator's full GitLab privileges, a crafted value such as '../../../user' resolves to /api/v4/user (or any other resource), turning a scoped job lookup into broad unauthorized data access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach MCP job tool interface
Delivery
Supply job_id='../../../user'
Exploit
Path collapses past /jobs/ prefix
Execution
Request hits arbitrary GitLab API endpoint
Persist
Operator PAT authorizes call
Impact
Exfiltrate targeted GitLab resource

Vulnerability AssessmentAI

Exploitation Exploitation requires that the mcp-gitlab server is deployed and configured with a valid GitLab personal access token, and that the attacker can control the value of the job_id (or analogous pipeline_id) parameter passed to one of the job/pipeline tools (getPipelineJob, getPipelineJobOutput/trace, artifact retrieval, play/retry/cancel, etc.). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/SC:H, score 9.2) reflects a network-reachable, low-complexity flaw with high confidentiality impact on both the vulnerable system and a subsequent system (the GitLab instance reached with the operator token). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker able to influence a job_id passed to the MCP server - for example through prompt injection into the AI agent driving it, or by supplying a malicious identifier - sends job_id='../../../user'. The server builds https://gitlab.com/api/v4/projects/1/jobs/../../../user/trace, which the URL parser collapses to /api/v4/user, and the request executes with the operator's personal access token, returning the operator's account details or any other targeted GitLab resource. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the fix from commit e2a81a0 (https://github.com/zereight/gitlab-mcp/commit/e2a81a047ab8750fa5bfa1763b5d85e5616f3994), which routes all job and pipeline identifiers through encodeGitLabPathSegment() so traversal payloads stay within a single URL segment; upgrade to the corresponding released version once tagged and confirm against the VulnCheck advisory (https://www.vulncheck.com/advisories/mcp-gitlab-path-traversal-via-job-id-parameter). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and disconnect all zereight's mcp-gitlab instances from production until patched, and examine the past 30 days of server logs for suspicious job_id parameters containing path traversal sequences (e.g., '../'). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-61462 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy