Path Traversal Vulnerability in GitLab MCP by Zereight
CVE-2026-61462
9.2CRITICAL
What is CVE-2026-61462?
The GitLab MCP application contains a path traversal vulnerability in the job_id parameter of the build/index.js file. This flaw enables attackers to manipulate API requests by providing specially crafted job_id values, such as '../../../user', allowing them to escape the defined path restrictions. As a result, they could gain unauthorized access to various GitLab API resources using the access tokens of legitimate users, potentially leading to sensitive data exposure and unauthorized actions within the application.
Affected Version(s)
mcp-gitlab 0
