CVE-2026-11720

CRITICAL

Path Traversal in googleapis/mcp-toolbox HTTP Tool URL Builder

Title source: cna
STIX 2.1

Description

A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox. When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the resulting string as a relative URL. While it checks that the input does not alter the scheme, host, or user info, it relies on ResolveReference for the final URL resolution. Because dot segments (../) are normalized during this resolution step, an attacker can supply path parameters containing directory traversal sequences to escape the operator-configured path scope. This allows the client to coerce the toolbox into making requests to unintended endpoints on the same target host while forwarding the toolbox's configured credentials (e.g., bypassing a restricted path like /api/v1/users/{{.id}} to reach /admin/secrets).

References (1)

Core 1

Scores

CVSS v3 9.1
EPSS 0.0037
EPSS Percentile 29.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-22
Status published
Products (2)
Google/MCP Toolbox for Databases (googleapis/mcp-toolbox) < 1.3.0
google/mcp_toolbox_for_databases < 1.3.0
Published Jun 29, 2026
Tracked Since Jun 29, 2026