Path Traversal Vulnerability in tugcantopaloglu godot-mcp Product
CVE-2026-15522
Key Information:
- Vendor
Tugcantopaloglu
- Status
- Vendor
- CVE Published:
- 13 July 2026
Badges
What is CVE-2026-15522?
A security flaw has been identified in the tugcantopaloglu godot-mcp product version 2.0.0, specifically within the validatePath function located in build/index.js of the component run_project. The vulnerability allows for path traversal due to improper handling of the projectPath argument, which can be exploited locally. Attackers may leverage this flaw to manipulate file paths, leading to unauthorized access to sensitive files. To mitigate this issue, users are strongly advised to upgrade to version 3.0.0, which includes a patch addressing this security concern.
Affected Version(s)
godot-mcp 2.0.0
godot-mcp 3.0.0
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
