CVE-2026-27735 Overview
CVE-2026-27735 is a path traversal vulnerability affecting Model Context Protocol (MCP) Servers, specifically the mcp-server-git component. In versions prior to 2026.1.14, the git_add tool failed to validate that file paths provided in the files argument remained within repository boundaries. This allows attackers to stage arbitrary files from outside the repository into the Git index by using relative path sequences containing ../ traversal patterns.
Critical Impact
Attackers can stage sensitive files from outside the repository directory, potentially exposing configuration files, credentials, or other sensitive data when commits are pushed to remote repositories.
Affected Products
- Model Context Protocol Servers mcp-server-git versions prior to 2026.1.14
Discovery Timeline
- 2026-02-26 - CVE CVE-2026-27735 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27735
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The root cause lies in the implementation choice within the git_add tool, which utilizes GitPython's repo.index.add() method rather than invoking the Git CLI directly.
The GitPython library's repo.index.add() function does not inherently restrict path resolution to within the repository's root directory. When a user supplies a file path containing directory traversal sequences (such as ../../../etc/passwd), the path resolves to a location outside the repository boundary, yet the file is still staged into the Git index.
This differs from the behavior of the native Git CLI, which includes built-in safeguards against staging files from outside the working tree. By bypassing the CLI in favor of the Python API, the vulnerability was introduced.
Root Cause
The vulnerability stems from insufficient input validation on the files argument passed to the git_add tool. The implementation trusted user-supplied paths without canonicalizing them or verifying they resolve to locations within the repository's working directory. The use of GitPython's repo.index.add() method directly processes relative paths without enforcing repository boundary constraints, unlike the Git CLI which would reject such paths.
Attack Vector
An attacker exploiting this vulnerability would craft a malicious request to the git_add tool containing file paths with ../ sequences designed to traverse outside the repository directory. For example, providing a path like ../../../etc/passwd or ../../../home/user/.ssh/id_rsa would cause those sensitive files to be staged into the repository's Git index.
Once staged, if a commit operation follows and the changes are pushed to a remote repository, the attacker-controlled content from outside the repository becomes part of the version history, potentially exposing sensitive system files, credentials, or configuration data to anyone with access to the repository.
The vulnerability requires user interaction, as the malicious path must be accepted and processed by the MCP server. Network access to the MCP server is required to trigger the vulnerable functionality.
Detection Methods for CVE-2026-27735
Indicators of Compromise
- Presence of files in Git staging area or commit history that originate from outside the repository directory
- Git index entries containing path traversal sequences or references to system files (e.g., /etc/passwd, .ssh/ files, .env files)
- Unexpected sensitive data appearing in repository commits
Detection Strategies
- Monitor git_add operations for file paths containing ../ sequences
- Implement file integrity monitoring on Git repositories to detect staging of files outside expected directories
- Review commit histories for anomalous file additions that don't correspond to expected project files
- Deploy application-layer firewall rules to detect and block path traversal patterns in API requests
Monitoring Recommendations
- Enable verbose logging for MCP server operations, particularly the git_add tool
- Set up alerts for any file operations that reference paths outside the repository root
- Periodically audit Git index contents and recent commits for unauthorized file inclusions
How to Mitigate CVE-2026-27735
Immediate Actions Required
- Upgrade mcp-server-git to version 2026.1.14 or newer immediately
- Audit Git repositories managed by affected MCP server instances for any unauthorized file staging or commits
- Review recent commit history for evidence of path traversal exploitation
- If sensitive files were exposed, rotate any compromised credentials and assess data breach impact
Patch Information
The vulnerability has been remediated in mcp-server-git version 2026.1.14. Users should upgrade to this version or later to address the path traversal issue. Technical details about the fix are available in the GitHub Pull Request #3164. The GitHub Security Advisory GHSA-vjqx-cfc4-9h6v provides additional context on the vulnerability.
Workarounds
- Implement input validation at the application layer to reject file paths containing ../ sequences before they reach the git_add tool
- Restrict network access to the MCP server to trusted clients only
- Deploy a Web Application Firewall (WAF) configured to block path traversal patterns in incoming requests
- Consider using file system permissions to limit which directories the MCP server process can access
# Configuration example
# Upgrade mcp-server-git to patched version
pip install --upgrade mcp-server-git>=2026.1.14
# Verify installed version
pip show mcp-server-git | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
