Ghostwire

CVE-2026-61462: mcp-gitlab contains a path traversal vulnerability in the job_id parameter of build/index.js that allows attackers to...

CRITICAL CVSS 0.0

Published: July 13, 2026 | Last Modified: July 13, 2026

Description

mcp-gitlab contains a path traversal vulnerability in the job_id parameter of build/index.js that allows attackers to redirect GitLab API requests to arbitrary endpoints. Attackers can supply crafted job_id values like ../../../user to escape the intended path prefix and access arbitrary GitLab API resources using the operator's personal access token.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

Security Coverage (1 articles)

References