GHSA-5383-j2p9-qfg3CriticalCVSS 8.6

mcp-gitlab contains a path traversal vulnerability in the job_id parameter of build/index.js that...

Published
July 13, 2026
Last Modified
July 13, 2026

🔗 CVE IDs covered (1)

📋 Description

mcp-gitlab contains a path traversal vulnerability in the job_id parameter of build/index.js that allows attackers to redirect GitLab API requests to arbitrary endpoints. Attackers can supply crafted job_id values like ../../../user to escape the intended path prefix and access arbitrary GitLab API resources using the operator's personal access token.

🔗 References (6)