Product
A path traversal vulnerability, CVE-2026-61462, in the job_id parameter of build/index.js within mcp-gitlab allows attackers to redirect GitLab API requests to arbitrary endpoints by escaping the intended path prefix, leveraging the operator's personal access token for unauthorized access.