A vulnerability was found in tugcantopaloglu godot-mcp 2.0.0 and classified as critical. Affected by this vulnerability is the function
validatePath of the file build/index.js of the component run_project. The manipulation of the argument projectPath results in path traversal.
This vulnerability is known as CVE-2026-15522. Attacking locally is a requirement. Furthermore, an exploit is available.
It is suggested to upgrade the affected component.