What happened
mcp-gitlab, an MCP server exposing GitLab operations (projects, merge requests, issues, pipelines, wiki, releases) to AI agents, contains a path traversal vulnerability (CVSS 8.6) in its job_id parameter handling that lets an attacker escape the intended API path prefix and redirect GitLab API calls elsewhere.
Why it matters
mcp-gitlab is a popular GitLab MCP server used to let coding agents (Claude Code, Cursor, etc.) interact with GitLab. Redirecting API calls issued with the server's stored GitLab credentials could leak GitLab tokens/session data to attacker-controlled endpoints or be used to manipulate CI/CD pipeline data, a meaningful risk given MCP servers routinely hold privileged tokens on behalf of AI agents.
Attack vector
An attacker supplies crafted job_id values (e.g. containing ../../../user sequences) to build/index.js, escaping the intended path prefix so that GitLab API requests issued by the MCP server are redirected to arbitrary attacker-influenced endpoints instead of the intended GitLab job resource.
Affected systems
mcp-gitlab (zereight/gitlab-mcp npm package)
Mitigation
Upgrade to a patched version of @zereight/mcp-gitlab; validate/sanitize job_id path segments server-side before constructing GitLab API request paths.