DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27735: Git Outta Here: Exfiltrating Secrets via CVE-2026-27735

#security #cve #cybersecurity

Git Outta Here: Exfiltrating Secrets via CVE-2026-27735

Vulnerability ID: CVE-2026-27735
CVSS Score: 6.4
Published: 2026-02-26

A path traversal vulnerability in the Model Context Protocol (MCP) Git server allows attackers (or confused LLMs) to stage and commit files outside the repository root. By abusing the git_add tool, sensitive host files can be added to the git index and exfiltrated via a push.

TL;DR

The mcp-server-git tool used an unsafe GitPython method to stage files. It failed to validate paths, allowing ../../ traversal. An attacker can trick the server into committing /etc/shadow or ~/.ssh/id_rsa and pushing them to a public repo.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 (Path Traversal)
  • CVSS v4.0: 6.4 (Medium)
  • Attack Vector: Network (via MCP)
  • EPSS Score: 0.00046 (~14%)
  • Impact: Confidentiality High (File Exfiltration)
  • Fix Commit: 862e717ff714987bd5577318df09858e14883863

Affected Systems

  • mcp-server-git < 2026.1.14
  • Model Context Protocol implementations using GitPython improperly
  • mcp-server-git: < 2026.1.14 (Fixed in: 2026.1.14)

Code Analysis

Commit: 862e717

Fix path traversal in git_add by using git cli wrapper

@@ -132,7 +132,8 @@ def git_add(repo: git.Repo, files: list[str]) -> str:
     if files == ["."]:
         repo.git.add(".")
     else:
-        repo.index.add(files)
+        # Use '--' to prevent files starting with '-' from being interpreted as options
+        repo.git.add("--", *files)
     return "Files staged successfully"
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade mcp-server-git to version 2026.1.14
  • Run MCP servers in sandboxed environments (Docker/Podman)
  • Avoid running LLM agents with root privileges
  • Implement human-in-the-loop (HITL) authorization for file system operations

Remediation Steps:

  1. Identify active instances of mcp-server-git.
  2. Pull the latest docker image or update the python package.
  3. Verify the version matches 2026.1.14+.
  4. Audit recent git commits in repositories managed by agents for suspicious file paths.

References

Read the full report for CVE-2026-27735 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)