A vulnerability was found in Google MCP Toolbox for Databases up to 1.2.x . It has been classified as critical . Affected is an unknown function of the file /api/v1/users of the component Relative URL Handler . This manipulation causes path traversal. The identification of this vulnerability is CVE-2026-11720 . It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is recommended.