PT-2026-57839 · Unknown · Mcp-Gitlab

George Chen

·

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-61462

CVSS v3.1

8.6

High

VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions mcp-gitlab versions prior to 2.1.18
Description A path traversal issue exists in the job id parameter within the build/index.js file. This allows attackers to escape the intended path prefix by providing crafted values, such as ../../../user, to redirect GitLab API requests to arbitrary endpoints. Consequently, an attacker can access unauthorized GitLab API resources using the operator's personal access token.
Recommendations Update to version 2.1.18.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-61462

Affected Products

Mcp-Gitlab