Git Outta Here: Exfiltrating Secrets via CVE-2026-27735
Vulnerability ID: CVE-2026-27735
CVSS Score: 6.4
Published: 2026-02-26
A path traversal vulnerability in the Model Context Protocol (MCP) Git server allows attackers (or confused LLMs) to stage and commit files outside the repository root. By abusing the git_add tool, sensitive host files can be added to the git index and exfiltrated via a push.
TL;DR
The mcp-server-git tool used an unsafe GitPython method to stage files. It failed to validate paths, allowing ../../ traversal. An attacker can trick the server into committing /etc/shadow or ~/.ssh/id_rsa and pushing them to a public repo.
⚠️ Exploit Status: POC
Technical Details
Affected Systems
Code Analysis
Commit: 862e717
Fix path traversal in git_add by using git cli wrapper
@@ -132,7 +132,8 @@ def git_add(repo: git.Repo, files: list[str]) -> str:
if files == ["."]:
repo.git.add(".")
else:
- repo.index.add(files)
+ # Use '--' to prevent files starting with '-' from being interpreted as options
+ repo.git.add("--", *files)
return "Files staged successfully"
Mitigation Strategies
Remediation Steps:
References
Read the full report for CVE-2026-27735 on our website for more details including interactive diagrams and full exploit analysis.
More...
Vulnerability ID: CVE-2026-27735
CVSS Score: 6.4
Published: 2026-02-26
A path traversal vulnerability in the Model Context Protocol (MCP) Git server allows attackers (or confused LLMs) to stage and commit files outside the repository root. By abusing the git_add tool, sensitive host files can be added to the git index and exfiltrated via a push.
TL;DR
The mcp-server-git tool used an unsafe GitPython method to stage files. It failed to validate paths, allowing ../../ traversal. An attacker can trick the server into committing /etc/shadow or ~/.ssh/id_rsa and pushing them to a public repo.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22 (Path Traversal)
- CVSS v4.0: 6.4 (Medium)
- Attack Vector: Network (via MCP)
- EPSS Score: 0.00046 (~14%)
- Impact: Confidentiality High (File Exfiltration)
- Fix Commit: 862e717ff714987bd5577318df09858e14883863
Affected Systems
- mcp-server-git
- Model Context Protocol implementations using GitPython improperly
- mcp-server-git: 2026.1.14)
Code Analysis
Commit: 862e717
Fix path traversal in git_add by using git cli wrapper
@@ -132,7 +132,8 @@ def git_add(repo: git.Repo, files: list[str]) -> str:
if files == ["."]:
repo.git.add(".")
else:
- repo.index.add(files)
+ # Use '--' to prevent files starting with '-' from being interpreted as options
+ repo.git.add("--", *files)
return "Files staged successfully"
Mitigation Strategies
- Upgrade mcp-server-git to version 2026.1.14
- Run MCP servers in sandboxed environments (Docker/Podman)
- Avoid running LLM agents with root privileges
- Implement human-in-the-loop (HITL) authorization for file system operations
Remediation Steps:
- Identify active instances of mcp-server-git.
- Pull the latest docker image or update the python package.
- Verify the version matches 2026.1.14+.
- Audit recent git commits in repositories managed by agents for suspicious file paths.
References
Read the full report for CVE-2026-27735 on our website for more details including interactive diagrams and full exploit analysis.
More...