External risk intelligence

MCP GitLab Path Traversal via Job ID Parameter

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-61462

The vulnerability exists in an MCP server for GitLab. While typically used as an integration component for AI agents, such servers may be deployed in environments where they are accessible to networked clients, making internet or internal network reachability possible depending on the specific implementation.

Path Traversal

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A path traversal vulnerability has been identified in mcp-gitlab, allowing unauthorized access to GitLab API resources by redirecting requests. This could potentially expose sensitive information or allow for malicious actions if an attacker can exploit this flaw. The primary concern is to confirm if this technology is in use and assess any potential exposure.

  • Attackers can redirect GitLab API requests.
  • This could lead to unauthorized access of sensitive data.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted requests to the GitLab API. The vulnerability resides in how the `job_id` parameter is handled, allowing an attacker to manipulate it to bypass intended path restrictions. This could enable them to access or redirect arbitrary GitLab API resources that an operator's personal access token might otherwise permit.

  • Network access required.
  • Manipulated `job_id` parameter.
  • Unauthorized API resource access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to redirect GitLab API requests to arbitrary endpoints, potentially accessing sensitive GitLab API resources. This is possible by crafting specific `job_id` values, which can bypass intended path restrictions. The impact depends on the specific configuration and network accessibility of the affected system.

  • GitLab API resources could be accessed.
  • Crafted input may redirect API requests.
  • Unauthorized access to API resources.

Operational Fix

Recommended remediation, mitigation, and detection steps

The mcp-gitlab component, used for GitLab API request redirection, likely falls under the responsibility of the platform or infrastructure team managing the GitLab environment. The first practical step is to identify all instances of mcp-gitlab, determine their network exposure and business criticality, and then assign ownership for remediation planning.

  • Identify all mcp-gitlab instances.
  • Verify network reachability and criticality.
  • Assign ownership for remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is mcp-gitlab?

mcp-gitlab is a Model Context Protocol (MCP) server that acts as a connector between AI agents and GitLab. It allows AI models to interact with GitLab resources by translating natural language requests into API calls. Developers and teams use this component to give AI assistants the capability to manage repository tasks, review code, or pull build information directly from their GitLab instances.

How does CVE-2026-61462 work?

This vulnerability is a path traversal flaw, categorized as CWE-73. It happens because the software does not properly sanitize the job_id parameter before using it in an API request. By inserting special character sequences, an attacker can escape the intended directory or endpoint scope, tricking the server into querying unauthorized GitLab API resources using the credentials configured for the connector.

Do I need to be authenticated to trigger this?

No, the vulnerability does not require authentication. An attacker can trigger the path traversal by sending a crafted request to the API with a manipulated job_id value. Simply providing standard, valid job identifiers will not trigger the bug; it only occurs when an attacker specifically injects traversal sequences, such as '../', to force the application to look outside of its authorized path.

Is my instance at risk?

According to Halo Surface Signal, your risk depends on network reachability. If your mcp-gitlab server is exposed to the internet or reachable by untrusted clients on an internal network, it is at higher risk. Because it functions as an integration bridge, you should evaluate whether your deployment is reachable by external traffic or restricted to local, secure environments only.

How do I start responding to this CVE?

First, locate every instance of mcp-gitlab running in your environment. Once identified, check how each instance is networked to determine if it is accessible to unauthorized users. After assessing your footprint, coordinate with your infrastructure or platform teams to prioritize these instances and track them for updates that resolve the parameter handling flaw.

References