HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-11720Published Modified CNA Google

CVE-2026-11720: Path Traversal in googleapis/mcp-toolbox HTTP Tool URL Builder

A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox. When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the resulting string as a relative URL. While it checks that the input does not alter the scheme, host, or user info, it relies on ResolveReference for the final URL resolution. Because dot segments (../) are normalized during this resolution step, an attacker can supply path parameters containing directory traversal sequences to escape the operator-configured path scope. This allows the client to coerce the toolbox into making requests to unintended endpoints on the same target host while forwarding the toolbox's configured credentials (e.g., bypassing a restricted path like /api/v1/users/{{.id}} to reach /admin/secrets).

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
1.3.0
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox (Google MCP Toolbox for Databases). The flaw is reachable over the network with no authentication required: an attacker supplies crafted dot-segment sequences (../) in path parameters, which are normalized by the Go ResolveReference step, causing the toolbox to issue requests to unintended endpoints on the same target host while forwarding its configured credentials. Successful exploitation gives an attacker read and write access to backend API endpoints outside the operator-configured path scope, such as administrative or secrets endpoints. A patched-image rebuild at version 1.3.0 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11720 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images derived from googleapis/mcp-toolbox. Any image running a version below 1.3.0 is flagged as affected.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 severity of 9.3 (Critical) and weighting that score against each customer environment's compliance policy to prioritize routing. Triage findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at googleapis/mcp-toolbox 1.3.0 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable URL builder is exposed over the network, so an attacker must be able to send HTTP requests to the toolbox service to supply malicious path parameters.

  • AuthenticationNot required

    The CVSS vector specifies PR:N, meaning no account or credential is needed to submit the crafted path parameters that trigger the traversal.

  • Victim interactionNot required

    The CVSS vector specifies UI:N, so exploitation is fully automated and requires no action from any user or operator.

  • Attack complexityDetail

    The CVSS vector specifies AC:L and AT:N, meaning the exploit is reliable and condition-free with no special timing, race conditions, or environmental prerequisites required.

Blast Radius

  • An attacker reads responses from backend API endpoints outside the operator-configured path scope, including administrative routes and secrets endpoints, using the toolbox's own forwarded credentials.
  • An attacker writes to or modifies resources on those unintended endpoints on the same target host, such as creating or overwriting records exposed by admin APIs.
  • Forwarded credentials captured or misused during traversal requests may be replayed independently, extending access beyond the immediate toolbox session.

How HarborGuard Handles This

Available on HarborGuard: detection against this CVE is active for all images derived from googleapis/mcp-toolbox below version 1.3.0, including custom-built images that vendor the library. Where compliance policy permits auto-remediation, HarborGuard rebuilds the affected image at version 1.3.0, executes a regression test run, and opens a pull request against affected workloads; for critical-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For customers who manage remediation manually, HarborGuard surfaces the finding with full CVSS v4.0 context (score 9.3, Critical) and routes it to the appropriate team inbox. Until a rebuild is deployed, consider restricting inbound path parameter values at an API gateway or reverse proxy layer, applying network policy to limit which services can reach the toolbox, and auditing toolbox credential scopes to reduce the blast radius of any traversal that reaches an unintended endpoint.

See how HarborGuard automates this

Fix available

1.3.0
Affected packages
  • Google / MCP Toolbox for Databases (googleapis/mcp-toolbox)
    < 1.3.0 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References