{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mcp-gitlab/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-61462"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mcp-gitlab"],"_cs_severities":["high"],"_cs_tags":["path-traversal","gitlab","web-vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["GitLab"],"content_html":"\u003cp\u003eCVE-2026-61462 details a significant path traversal vulnerability present in \u003ccode\u003emcp-gitlab\u003c/code\u003e, specifically within the \u003ccode\u003ejob_id\u003c/code\u003e parameter of the \u003ccode\u003ebuild/index.js\u003c/code\u003e component. This flaw enables an attacker to manipulate file paths, effectively allowing them to redirect internal GitLab API requests to arbitrary endpoints. By crafting malicious \u003ccode\u003ejob_id\u003c/code\u003e values, such as \u003ccode\u003e../../../user\u003c/code\u003e, attackers can bypass security controls that restrict access to specific directories. This exploitation grants them unauthorized access to sensitive GitLab API resources, crucially leveraging the operator's personal access token. The successful exploitation of this vulnerability could lead to comprehensive compromise of GitLab data and functions associated with the operator's privileges, making it critical for organizations using \u003ccode\u003emcp-gitlab\u003c/code\u003e to address. This vulnerability poses a direct threat to data confidentiality and integrity within affected environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious HTTP GET or POST request targeting the \u003ccode\u003ebuild/index.js\u003c/code\u003e endpoint of a vulnerable \u003ccode\u003emcp-gitlab\u003c/code\u003e instance.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes a \u003ccode\u003ejob_id\u003c/code\u003e parameter containing path traversal sequences, such as \u003ccode\u003e../../../\u003c/code\u003e followed by a target API endpoint (e.g., \u003ccode\u003e../../../user\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emcp-gitlab\u003c/code\u003e application processes the \u003ccode\u003ejob_id\u003c/code\u003e parameter without proper sanitization or validation of the input path.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal vulnerability, the application's internal request handling redirects or attempts to access a GitLab API resource outside of the intended directory.\u003c/li\u003e\n\u003cli\u003eThe redirected internal API request is executed with the privileges of the \u003ccode\u003emcp-gitlab\u003c/code\u003e operator, specifically using their personal access token.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the GitLab API resource specified in their crafted \u003ccode\u003ejob_id\u003c/code\u003e, bypassing access controls.\u003c/li\u003e\n\u003cli\u003eThis unauthorized access allows the attacker to view, modify, or exfiltrate sensitive data and potentially control aspects of the GitLab environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-61462 grants attackers unauthorized access to arbitrary GitLab API resources by leveraging the operator's personal access token. This could lead to severe consequences, including the exfiltration of sensitive source code, intellectual property, or user data. Attackers could also manipulate repositories, pipelines, or user accounts, causing significant disruption to development workflows and potentially enabling further lateral movement within an organization's infrastructure. The vulnerability's high CVSS v3.1 Base Score of 8.6 indicates a critical risk, suggesting that exploitation could result in significant data compromise or system integrity loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-61462 on all \u003ccode\u003emcp-gitlab\u003c/code\u003e instances immediately to prevent exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to your SIEM to detect attempts to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive webserver logging to capture full HTTP request details, including URI stems and query parameters, to ensure the rule can be effectively activated.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T18:19:01Z","date_published":"2026-07-13T18:19:01Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61462-mcp-gitlab-path-traversal/","summary":"A path traversal vulnerability, CVE-2026-61462, in the job_id parameter of build/index.js within mcp-gitlab allows attackers to redirect GitLab API requests to arbitrary endpoints by escaping the intended path prefix, leveraging the operator's personal access token for unauthorized access.","title":"CVE-2026-61462 - mcp-gitlab Path Traversal Vulnerability Leading to Unauthorized API Access","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61462-mcp-gitlab-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed - Mcp-Gitlab","version":"https://jsonfeed.org/version/1.1"}