Vulnerability  ·  2026-07-14

mcp-gitlab Path Traversal Enables Redirection of GitLab API Requests to Arbitrary Endpoints

VulnerabilityHigh impactGlobalCVE-2026-61462
mcp-gitlab, an MCP server exposing GitLab operations (projects, merge requests, issues, pipelines, wiki, releases) to AI agents, contains a path traversal vulnerability (CVSS 8.6) in its job_id parameter handling that lets an attacker escape the intended API path prefix and redirect GitLab API calls elsewhere.
mcp-gitlab is a popular GitLab MCP server used to let coding agents (Claude Code, Cursor, etc.) interact with GitLab. Redirecting API calls issued with the server's stored GitLab credentials could leak GitLab tokens/session data to attacker-controlled endpoints or be used to manipulate CI/CD pipeline data, a meaningful risk given MCP servers routinely hold privileged tokens on behalf of AI agents.
An attacker supplies crafted job_id values (e.g. containing ../../../user sequences) to build/index.js, escaping the intended path prefix so that GitLab API requests issued by the MCP server are redirected to arbitrary attacker-influenced endpoints instead of the intended GitLab job resource.
mcp-gitlab (zereight/gitlab-mcp npm package)
Upgrade to a patched version of @zereight/mcp-gitlab; validate/sanitize job_id path segments server-side before constructing GitLab API request paths.
NVD - CVE-2026-61462zereight/gitlab-mcp GitHub repository
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →