CVE-2026-7403

MEDIUM 5.3

geldata gel-mcp server.py fetch_rule path traversal

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

A security flaw has been discovered in geldata gel-mcp 0.1.0. This impacts the function list_rules/fetch_rule of the file src/gel_mcp/server.py. The manipulation of the argument rule_name results in path traversal. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CWE	CWE-22
Vendor	geldata
Product	gel-mcp
Published	Apr 29, 2026

Stay Ahead of the Next One

Get instant alerts for geldata gel-mcp

Be the first to know when new medium vulnerabilities affecting geldata gel-mcp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

geldata / gel-mcp

0.1.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

vuldb.com: https://vuldb.com/vuln/360139 vuldb.com: https://vuldb.com/vuln/360139/cti vuldb.com: https://vuldb.com/submit/803530 github.com: https://github.com/geldata/gel-mcp/issues/11 github.com: https://github.com/geldata/gel-mcp/

Credits

🔍 LargeW (VulDB User) VulDB CNA Team