CVE-2026-61462
HIGH
NVD
CVSS Score
8.6
Severity
HIGH
Published
Jul 13, 2026
Vendor
unknown
Description
mcp-gitlab contains a path traversal vulnerability in the job_id parameter of build/index.js that allows attackers to redirect GitLab API requests to arbitrary endpoints. Attackers can supply crafted job_id values like ../../../user to escape the intended path prefix and access arbitrary GitLab API resources using the operator's personal access token.