CVE-2026-10277— j3k0 mcp-google-workspace MCP Gmail Tool gmail.ts saveToDisk access control
Possible ATT&CK Techniques 2AI
T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| j3k0 | mcp-google-workspace | 831790e7d5c2663325733d9f5579cc339a267c4c | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-10277
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
j3k0 mcp-google-workspace MCP Gmail Tool gmail.ts saveToDisk access control
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability was found in j3k0 mcp-google-workspace up to 831790e7d5c2663325733d9f5579cc339a267c4c. This issue affects the function saveToDisk of the file src/tools/gmail.ts of the component MCP Gmail Tool. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 89c091ecf8b9f9c7291d1af0b1966e271f86551c. It is suggested to install a patch to address this issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
访问控制不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| j3k0 | mcp-google-workspace | 831790e7d5c2663325733d9f5579cc339a267c4c | cpe:2.3:a:j3k0:mcp-google-workspace:*:*:*:*:*:*:*:* |
II. Public POCs for CVE-2026-10277
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-10277
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-10277 (2)
Proof of Concept for CVE-2026-10277 (1)
Other References for CVE-2026-10277 (1)
IV. Related Vulnerabilities
Same weakness: CWE-284
- CVE-2026-9614
Ivanti Neurons for ITSM权限控制漏洞 - CVE-2026-45284
Nextcloud: Wrong condition in the User OIDC app's LdapServic - CVE-2026-45282
Nextcloud: Logged-in user bypasses share password and downlo - CVE-2026-45266
Nextcloud: Unauthorized force-mute from missing permission c - CVE-2026-45157
Nextcloud: Valid share tokens allow to access tempory upload
V. Comments for CVE-2026-10277
No comments yet