A vulnerability was found in tugcantopaloglu godot-mcp 2.0.0 and classified as critical. Affected by this vulnerability is the function validatePath of the file build/index.js of the component run_project. The manipulation of the argument projectPath results in path traversal.

This vulnerability is known as CVE-2026-15522. Attacking locally is a requirement. Furthermore, an exploit is available.

It is suggested to upgrade the affected component.