Path Traversal Vulnerability in GitLab MCP by Zereight
CVE-2026-61462

9.2CRITICAL

Key Information:

Vendor

Zereight

Vendor
CVE Published:
13 July 2026

What is CVE-2026-61462?

The GitLab MCP application contains a path traversal vulnerability in the job_id parameter of the build/index.js file. This flaw enables attackers to manipulate API requests by providing specially crafted job_id values, such as '../../../user', allowing them to escape the defined path restrictions. As a result, they could gain unauthorized access to various GitLab API resources using the access tokens of legitimate users, potentially leading to sensitive data exposure and unauthorized actions within the application.

Affected Version(s)

mcp-gitlab 0

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.