Description
A security flaw has been discovered in geldata gel-mcp 0.1.0. This impacts the function list_rules/fetch_rule of the file src/gel_mcp/server.py. The manipulation of the argument rule_name results in path traversal. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-29
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in geldata gel-mcp 0.1.0 and is triggered when a malicious value is supplied to the rule_name argument in the fetch_rule endpoint. The insufficient sanitization of this argument permits path traversal, enabling an attacker to request resources outside the intended directory, potentially exposing sensitive configuration files or other confidential data. Because the flaw is reachable over the network, an attacker can exploit it from a remote host, compromising the confidentiality of system files.

Affected Systems

Geldata’s gel-mcp service, specifically version 0.1.0. The issue was identified in the src/gel_mcp/server.py file which implements the list_rules/fetch_rule functionality. No other versions or products were mentioned in the CVE record.

Risk and Exploitability

The CVSS score of 6.9 reflects a moderate severity, and the exploit is known to be publicly available. The EPSS score is not reported, indicating either insufficient data or low exploitation probability; however, the CVE notes that the vulnerability can be exploited remotely from outside the host. The vulnerability is not listed in CISA's KEV catalog, so it has not yet been recognized as a freely available exploit in that repository. In practice, an attacker only needs network access to the service’s endpoint to leverage the path traversal failure.

Generated by OpenCVE AI on April 30, 2026 at 03:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply any security update or community patch released by Geldata for gel-mcp 0.1.0 as soon as it becomes available.
  • Restrict remote access to the fetch_rule endpoint by configuring network firewalls or VPN restrictions, limiting exposure to trusted hosts only.
  • Enable detailed logging of incoming requests to the fetch_rule endpoint and monitor for path traversal patterns, such as sequences containing '../' or absolute paths, to detect attempted exploitation.

Generated by OpenCVE AI on April 30, 2026 at 03:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Geldata
Geldata gel-mcp
Vendors & Products Geldata
Geldata gel-mcp

Wed, 29 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in geldata gel-mcp 0.1.0. This impacts the function list_rules/fetch_rule of the file src/gel_mcp/server.py. The manipulation of the argument rule_name results in path traversal. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Title geldata gel-mcp server.py fetch_rule path traversal
Weaknesses CWE-22
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Geldata Gel-mcp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-29T20:00:18.350Z

Reserved: 2026-04-29T12:53:42.267Z

Link: CVE-2026-7403

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-29T21:16:22.153

Modified: 2026-04-29T21:16:40.893

Link: CVE-2026-7403

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:20:29Z

Weaknesses