CVE-2026-11720
Received Received - Intake

Path Traversal in googleapis MCP Toolbox

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: Google Inc.

Description
A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox. When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the resulting string as a relative URL. While it checks that the input does not alter the scheme, host, or user info, it relies on ResolveReference for the final URL resolution. Because dot segments (../) are normalized during this resolution step, an attacker can supply path parameters containing directory traversal sequences to escape the operator-configured path scope. This allows the client to coerce the toolbox into making requests to unintended endpoints on the same target host while forwarding the toolbox's configured credentials (e.g., bypassing a restricted path like /api/v1/users/{{.id}} to reach /admin/secrets).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-11720
EUVD
EUVD-2026-40146

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
googleapis mcp_toolbox 1.3.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a path traversal issue in the HTTP tool URL builder of googleapis/mcp-toolbox. When the tool constructs API request URLs, it inserts user-controlled path parameters into the URL path. Although it checks that these inputs do not change the scheme, host, or user info, it relies on a URL resolution method that normalizes dot segments like "../". An attacker can exploit this by supplying path parameters containing directory traversal sequences to escape the intended path scope. This allows the attacker to make the toolbox send requests to unintended endpoints on the same host, potentially accessing restricted paths while using the toolbox's configured credentials.

Compliance Impact

The vulnerability allows attackers to perform path traversal attacks that can bypass intended access restrictions and access unauthorized endpoints on the same target host while forwarding configured credentials.

Such unauthorized access to sensitive endpoints could lead to exposure or unauthorized manipulation of protected data, which may result in non-compliance with standards and regulations like GDPR or HIPAA that require strict access controls and protection of sensitive information.

However, the provided information does not explicitly discuss compliance impacts or specific regulatory consequences.

Impact Analysis

This vulnerability can allow an attacker to bypass intended path restrictions and access unauthorized endpoints on the target host. By exploiting directory traversal sequences in path parameters, the attacker can coerce the toolbox into making requests to sensitive or restricted areas, such as administrative or secret endpoints, while forwarding the toolbox's credentials. This can lead to unauthorized data access or actions being performed without proper authorization.

Detection Guidance

Detection of this path traversal vulnerability involves monitoring for HTTP requests that include directory traversal sequences such as "../" or their URL-encoded equivalents like "%2e%2e" in path parameters.

You can use network monitoring or log analysis tools to search for such suspicious patterns in URLs constructed by the googleapis/mcp-toolbox.

For example, using command-line tools on logs or live traffic, you might run commands like:

  • grep -E '\.\./|%2e%2e' /path/to/access.log
  • tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -E '\.\./|%2e%2e'

These commands search for directory traversal patterns in HTTP request paths, which could indicate exploitation attempts of this vulnerability.

Mitigation Strategies

To mitigate this vulnerability immediately, update the googleapis/mcp-toolbox to version 1.3.0 or later, which includes the fix for this issue.

The fix rejects relative or URL-encoded dot segments (such as ".." or "%2e%2e") to prevent directory traversal and enforces path validation to ensure resolved paths do not escape the intended base path scope.

Additionally, use the new template functions `pathEscape` and `queryEscape` introduced in the update to prevent path tampering.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11720. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart