GHSA-VJQX-CFC4-9H6V
Vulnerability from github – Published: 2026-02-26 15:16 – Updated: 2026-02-26 15:16In mcp-server-git versions prior to 2026.1.14, the git_add tool did not validate that file paths provided in the files argument were within the repository boundaries. The tool used GitPython's repo.index.add(, which did not enforce working-tree boundary checks for relative paths. As a result, relative paths containing ../ sequences that resolved outside the repository were accepted and staged into the Git index, potentially allowing sensitive files to be exfiltrated via subsequent commit and push operations. The fix in PR #3164 switches to repo.git.add(), which delegates to the Git CLI and properly rejects out-of-tree paths. Users are advised to upgrade to 2026.1.14 or newer to remediate this issue.
mcp-server-git thanks https://hackerone.com/0dd-g for reporting and contributing the fix.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mcp-server-git"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.1.14"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-27735"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-26T15:16:57Z",
"nvd_published_at": "2026-02-26T00:16:25Z",
"severity": "MODERATE"
},
"details": "In `mcp-server-git` versions prior to 2026.1.14, the `git_add` tool did not validate that file paths provided in the files argument were within the repository boundaries. The tool used GitPython\u0027s `repo.index.add(`, which did not enforce working-tree boundary checks for relative paths. As a result, relative paths containing `../` sequences that resolved outside the repository were accepted and staged into the Git index, potentially allowing sensitive files to be exfiltrated via subsequent commit and push operations. The fix in PR #3164 switches to `repo.git.add()`, which delegates to the Git CLI and properly rejects out-of-tree paths. Users are advised to upgrade to 2026.1.14 or newer to remediate this issue.\n\nmcp-server-git thanks https://hackerone.com/0dd-g for reporting and contributing the fix.",
"id": "GHSA-vjqx-cfc4-9h6v",
"modified": "2026-02-26T15:16:57Z",
"published": "2026-02-26T15:16:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-vjqx-cfc4-9h6v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27735"
},
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/servers/pull/3164"
},
{
"type": "WEB",
"url": "https://github.com/modelcontextprotocol/servers/commit/862e717ff714987bd5577318df09858e14883863"
},
{
"type": "PACKAGE",
"url": "https://github.com/modelcontextprotocol/servers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "mcp-server-git : Path traversal in git_add allows staging files outside repository boundaries"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.