T

Threats

Google MCP Toolbox Critical Path Traversal Vulnerability

Overview

CVE: CVE-2026-11720

Severity: Critical

Date: 30 June 2026

Google has disclosed a critical path traversal vulnerability affecting MCP Toolbox for Databases (googleapis/mcp-toolbox), an open source Model Context Protocol server that connects AI agents, IDEs, and applications directly to enterprise databases.

The vulnerability, rated Critical (CVSS 9.3), exists in the HTTP tool URL builder and allows an unauthenticated attacker to escape the operator-configured path scope and access unintended endpoints on the same target host.


Affected Versions

  • CVE-2026-11720 affects googleapis/mcp-toolbox versions prior to 1.3.0.

  • Fixed in version 1.3.0.


Vulnerability Breakdown

CVE-2026-11720 - Path Traversal in HTTP Tool URL Builder

Severity: Critical

CVSS: 9.3 (CVSS 4.0)

CWE: CWE-22, Improper Limitation of a Pathname to a Restricted Directory

Description:

A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox. When constructing downstream API requests, the URL builder substitutes user-controlled path parameters into the configured tool path and parses the resulting string as a relative URL. While it checks that the input does not alter the scheme, host, or user info, it relies on ResolveReference for the final URL resolution. Because dot segments (../) are normalised during this resolution step, an attacker can supply path parameters containing directory traversal sequences to escape the operator-configured path scope.

Impact:

An attacker can coerce the toolbox into making requests to unintended endpoints on the same target host while forwarding the toolbox's configured credentials.

For example, an attacker could bypass a restricted path like /api/v1/users to reach /admin/secrets.

Conditions:

No authentication required. No user interaction required. Network access required.

Notes:

CISA has assessed this vulnerability as automatable. No exploitation has been reported at the time of publication.


Mitigation

  • Update googleapis/mcp-toolbox to version 1.3.0 or later immediately.

  • If immediate upgrade is not feasible, restrict network access to the MCP Toolbox server to trusted clients only.

  • Review and tighten URL path configurations to limit the blast radius of any path traversal attempt.

  • Monitor for unauthorised API requests or unexpected endpoint access patterns.

  • Audit API access logs for signs of path traversal attempts targeting restricted endpoints.


Summary for IT Teams

Products: Google MCP Toolbox for Databases (googleapis/mcp-toolbox)

Threat Level: Critical, CVSS 9.3

Action Required: Update googleapis/mcp-toolbox to version 1.3.0 or later immediately. Restrict network access to the MCP Toolbox server until the update is applied.


Reference


Need Help?

If your organisation needs assistance assessing exposure, validating MCP Toolbox versions, or prioritising remediation, Secure ISS can help. Contact our SOC team on 1300 769 460 or email us.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US