MEDIUM 6.3

CVE-2026-10277: Improper Access Control in MCP Google Workspace Gmail Tool

A security flaw exists in the MCP Google Workspace integration's Gmail tool that allows authenticated users to bypass access controls and manipulate file storage operations. An attacker with valid login credentials can remotely exploit this vulnerability to gain unauthorized access to data or perform unintended modifications. The vulnerability affects the component up to commit 831790e7d5c2663325733d9f5579cc339a267c4c, and a patch has been released.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-266, CWE-284
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

A vulnerability was found in j3k0 mcp-google-workspace up to 831790e7d5c2663325733d9f5579cc339a267c4c. This issue affects the function saveToDisk of the file src/tools/gmail.ts of the component MCP Gmail Tool. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. The exploit has been made public and could be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The patch is named 89c091ecf8b9f9c7291d1af0b1966e271f86551c. It is suggested to install a patch to address this issue.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10277 is an improper access control vulnerability in the saveToDisk function within src/tools/gmail.ts of the j3k0 mcp-google-workspace project. The flaw stems from insufficient authorization checks (CWE-266, CWE-284) that permit authenticated attackers to manipulate file storage operations and access data beyond their intended permissions. The vulnerability requires valid credentials (PR:L) but no additional interaction (UI:N), making it exploitable through network access (AV:N) with straightforward exploitation complexity (AC:L). This rolling-release project tracks fixes by commit hash rather than version numbers.

Business impact

Organizations deploying the MCP Google Workspace Gmail integration face potential data leakage and unauthorized file manipulation by internal or compromised users. Since exploitation requires authentication, the primary risk involves privilege escalation or lateral movement by existing account holders. For teams using this integration to manage Gmail workflows or archive sensitive messages, the vulnerability could expose business communications, customer data, or internal records to unauthorized viewing or modification.

Affected systems

The j3k0 mcp-google-workspace project up to commit 831790e7d5c2663325733d9f5579cc339a267c4c is affected. Because this project uses continuous rolling releases without traditional version numbering, all deployments using code before commit 89c091ecf8b9f9c7291d1af0b1966e271f86551c (the patched commit) require remediation. Verify your current commit hash against these values to determine exposure status.

Exploitability

The exploit is actively public. An attacker needs valid authentication credentials to the system and network access to the MCP Google Workspace endpoint—both typically available to employees or compromised user accounts. No special privileges are required beyond basic authenticated access, and the attack requires no user interaction. This combination of public disclosure, low complexity, and authentication-only barrier creates moderate exploitability risk, particularly in environments with large user bases or third-party integrations.

Remediation

Update the mcp-google-workspace project to commit 89c091ecf8b9f9c7291d1af0b1966e271f86551c or later. Given the rolling-release model, pull the latest main branch code and verify the commit hash. If your deployment pins to a specific commit, explicitly update to the patched commit or newer. Test the integration in a non-production environment before deploying to production Gmail workflows.

Patch guidance

Since this project lacks traditional version releases, patching requires a commit-based approach. Identify your currently deployed commit hash (typically visible in your package.json lock file or installed package metadata). Compare it against the vulnerable commit (831790e7d5c2663325733d9f5579cc339a267c4c). If equal or earlier, pull the latest code and verify the patched commit (89c091ecf8b9f9c7291d1af0b1966e271f86551c) is included. Update your dependency lock file and redeploy. Consult the project's repository changelog to confirm no breaking changes accompany the patch.

Detection guidance

Monitor saveToDisk function calls in src/tools/gmail.ts logs for unusual file paths, permissions, or user access patterns. Alert on cases where authenticated users access or write files outside their expected scope. Review Gmail API audit logs within the Google Workspace admin console for unexpected file export or attachment operations. Implement network-level monitoring on MCP Google Workspace service traffic for anomalous access control bypasses. Correlate user authentication timestamps with file manipulation events to identify suspicious timing or account abuse.

Why prioritize this

This vulnerability merits prompt but measured attention. The CVSS 6.3 MEDIUM score reflects its authentication requirement, yet the public exploit, straightforward exploitation, and potential for unauthorized access to sensitive business communications justify near-term patching. Organizations should prioritize this within 2–4 weeks, earlier if users with Gmail integration access handle sensitive data or if your environment has elevated insider risk.

Risk score, explained

The CVSS 3.1 score of 6.3 (MEDIUM) reflects a network-accessible vulnerability requiring low-level authentication, no user interaction, and low attack complexity. Impact is limited to confidentiality, integrity, and availability on the affected system (not enterprise-wide). The score does not weight the public exploit status or the sensitive nature of Gmail data, so organizations should consider context-specific aggravation factors, such as data classification or compliance obligations around email communications.

Frequently asked questions

Do I need valid credentials to exploit this, or is it unauthenticated?

Valid authentication is required (PR:L in the CVSS vector). An attacker must already have a valid user account or compromise one. This means internal threats, compromised contractor accounts, or social engineering to obtain credentials pose the primary risk.

How do I check if my deployment is vulnerable?

Determine your currently installed commit hash of mcp-google-workspace. Compare it to the vulnerable range up to 831790e7d5c2663325733d9f5579cc339a267c4c. If your commit is earlier than or equal to that hash, you are vulnerable. Check package-lock.json or run 'npm list' to find the installed commit.

What data is at risk if this is exploited?

The vulnerability affects file storage operations within the Gmail tool, so attached files, exported messages, and any data written to disk through saveToDisk are at risk of unauthorized access or manipulation. Depending on your Gmail integration's scope, sensitive business communications, customer data, or internal documents could be exposed.

Is there a workaround if I cannot patch immediately?

Restrict network access to the MCP Google Workspace service to trusted internal networks only. Audit user permissions and disable the Gmail integration for non-essential accounts. Monitor file system access and Gmail API activity closely. However, these are interim measures; patching should be prioritized within weeks, not months.

This analysis is based on publicly disclosed information as of June 2026 and reflects the vulnerability as described in CVE-2026-10277. Commit hashes and patch details are provided by the source data; verify against the official j3k0 mcp-google-workspace repository. Risk scores and impact assessments are general and should be contextualized to your specific deployment, data classification, and threat landscape. No exploit code or detailed attack procedures are provided. Always test patches in a non-production environment before deployment. SEC.co and its analysts make no warranty regarding the completeness or accuracy of this analysis; it is provided for informational purposes to support security decision-making. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).