CVE-2026-44895: GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships
criticalvulnerabilityLLM-Specific
security
Summary
GitLab MCP Server (a tool that lets AI agents interact with GitLab) had a critical security flaw in versions before 0.6.0 where its HTTP transport exposed an unauthenticated endpoint (a service that processes requests without checking who is calling it) to any website, combined with a misconfiguration that made it accessible from all network interfaces instead of just locally. This allowed attackers from anywhere to make changes to GitLab repositories using the server operator's stored credentials.
Solution / Mitigation
Update GitLab MCP Server to version 0.6.0, which fixes the vulnerability.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Disclosure Date
May 26, 2026
Classification
Attack Type
Supply Chain
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Taxonomy References
Affected Vendors
HuggingFace
Related Issues
Monthly digest — independent AI security research
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-44895
First tracked: May 26, 2026 at 08:12 PM
Classified by LLM (prompt v3) · confidence: 95%