External risk intelligence

Path Traversal in googleapis/mcp-toolbox HTTP Tool URL Builder.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-11720

The vulnerable component is a developer-focused library (mcp-toolbox) used for building and constructing API requests within client-side or backend application code. It is not an internet-facing service, gateway, or standalone application, and therefore does not have a public-facing attack surface in common deployment patterns.

Path Traversal

Google Mcp Toolbox For Databases

before 1.3.0

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A path traversal vulnerability has been identified in a tool used for constructing API requests, potentially allowing unauthorized access to sensitive information or system functions on the same host. This issue affects how user-provided data is processed when building URLs, enabling an attacker to bypass intended path restrictions. The main concern is confirming relevance and exposure.

  • Attackers can bypass security restrictions.
  • Confirms potential for unauthorized access.
  • Understand potential impact on internal systems.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted requests to the HTTP tool URL builder. This component is used to construct downstream API requests, and an attacker could provide path parameters containing directory traversal sequences, such as "../". Although some checks are in place, the system relies on URL resolution that normalizes these sequences. This allows an attacker to break out of the intended path and potentially access sensitive information or perform actions on unintended endpoints on the same host, using the toolbox's credentials.

  • No authentication or privileges required.
  • User-supplied parameters in URL construction.
  • Access sensitive data or execute unintended actions.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to trick the HTTP tool URL builder into making requests to unintended endpoints on the same host. This is possible when the builder substitutes user-controlled path parameters into a configured tool path and resolves the resulting string as a relative URL. When supported, the attacker could leverage this to bypass path restrictions and access sensitive administrative or secret endpoints, potentially forwarding the toolbox's configured credentials.

  • Tool path configuration.
  • Directory traversal sequences.
  • Unauthorized access to host endpoints.

Operational Fix

Recommended remediation, mitigation, and detection steps

The googleapis/mcp-toolbox library's HTTP tool URL builder is susceptible to path traversal, allowing an attacker to reach unintended endpoints on a target host by manipulating path parameters. This could expose sensitive information or allow unauthorized actions, especially if the toolbox is operating with elevated privileges.

  • Ownership: Application owners and platform teams.
  • Verify: Reachability and business criticality.
  • Action: Plan remediation or mitigate risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the googleapis/mcp-toolbox library used for?

This is a developer-focused software library designed to assist in building and constructing API requests. Developers integrate it into their own applications—whether on the client or backend—to manage how those apps interact with remote services. Because it functions as a component within larger systems rather than a standalone product, its role is strictly to help automate and structure the communication traffic that your application sends out to other web-based resources.

What does CVE-2026-11720 mean in simple terms?

This vulnerability is a path traversal flaw (CWE-22). It happens when the library builds a web address using data provided by a user. If that data includes special sequences like '../', the library may accidentally navigate outside its intended path. By doing this, it could be tricked into accessing restricted parts of the same web server, such as administrative folders or secret files, instead of just the specific endpoint the application developer originally intended.

How can an attacker trigger this URL builder bug?

An attacker needs to provide specific input to the application that uses the toolbox to construct API paths. The issue occurs when these user-supplied parameters are merged into the URL string. Crucially, the vulnerability relies on the tool's final resolution step, which treats directory traversal sequences as valid navigation instructions. If no user-controlled input is passed to the tool during URL construction, the mechanism that creates the unsafe path is never engaged.

Is my system at risk if the application is internal?

According to Halo Surface Signal, this software is a library, not an internet-facing gateway or server, making broad external exposure very unlikely. The primary risk is internal; if a compromised service or a malicious user can influence the inputs fed into the tool, they could potentially reach sensitive endpoints on the same internal host. You should evaluate if any of your internal applications use this library to process untrusted or user-supplied data in their request construction logic.

What should I do if my team uses this library?

First, identify which applications or services in your environment include googleapis/mcp-toolbox as a dependency. Once you have a list, work with your developers to determine if those tools currently accept user-provided data that impacts the construction of downstream API paths. If you find high-risk areas where external or unauthenticated input influences these paths, prioritize planning a version update or implementing strict input validation to block directory traversal characters.

References