Vulnerability Details CVE-2026-11720
A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox.
When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the resulting string as a relative URL. While it checks that the input does not alter the scheme, host, or user info, it relies on ResolveReference for the final URL resolution. Because dot segments (../) are normalized during this resolution step, an attacker can supply path parameters containing directory traversal sequences to escape the operator-configured path scope. This allows the client to coerce the toolbox into making requests to unintended endpoints on the same target host while forwarding the toolbox's configured credentials (e.g., bypassing a restricted path like /api/v1/users/{{.id}} to reach /admin/secrets).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 29.1%
CVSS Severity
CVSS v3 Score 9.1
Products affected by CVE-2026-11720
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.0.1
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.0.2
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.0.3
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.0.4
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.0.5
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.1.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.10.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.11.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.12.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.13.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.14.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.15.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.16.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.17.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.18.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.19.1
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.2.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.2.1
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.20.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.21.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.22.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.23.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.24.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.25.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.26.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.27.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.28.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.29.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.3.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.30.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.31.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.32.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.4.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.5.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.6.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.7.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.8.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:0.9.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:1.0.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:1.1.0
-
cpe:2.3:a:google:mcp_toolbox_for_databases:1.2.0