Path Traversal in Google Mcp Toolbox For Databases (Googleapis/mcp-toolbox)

CVE-2026-11720

A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox. When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the r…

Vulnerability class: Path Traversal (Directory Traversal)

Affected products

Weakness classification (CWE)

References