Home

Description

A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component run_project. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.0.0 addresses this issue. The patch is identified as eb63add552aa4bd9205395cf91b40654654a3cf2. It is suggested to upgrade the affected component.

PUBLISHED Reserved 2026-07-12 | Published 2026-07-13 | Updated 2026-07-13 | Assigner VulDB




MEDIUM: 4.8CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
MEDIUM: 5.3CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
MEDIUM: 5.3CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
4.3AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Problem types

Path Traversal

Product status

2.0.0
affected

3.0.0
unaffected

Timeline

2026-07-12:Advisory disclosed
2026-07-12:VulDB entry created
2026-07-12:VulDB entry last update

Credits

Mcfly_Zhang (VulDB User) reporter

References

vuldb.com/vuln/377851 (VDB-377851 | tugcantopaloglu godot-mcp run_project index.js validatePath path traversal) vdb-entry technical-description

vuldb.com/vuln/377851/cti (VDB-377851 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/cve/CVE-2026-15522 (CVE-2026-15522 | CVE Analysis and Report) third-party-advisory

vuldb.com/submit/854523 (Submit #854523 | tugcantopaloglu godot-mcp 2.0.0 Path Traversal) third-party-advisory

github.com/tugcantopaloglu/godot-mcp/issues/9 exploit issue-tracking

github.com/...ommit/eb63add552aa4bd9205395cf91b40654654a3cf2 patch

github.com/tugcantopaloglu/godot-mcp/releases/tag/v3.0.0 patch

github.com/tugcantopaloglu/godot-mcp/ product

cve.org (CVE-2026-15522)

nvd.nist.gov (CVE-2026-15522)

Download JSON