GitLab Advisory — ebay-mcp env var injection (CVE-2026-27203)

AI relevance: MCP servers bridge AI agents to real-world tools; configuration poisoning in an MCP service can redirect or exfiltrate agent data.

• CVE-2026-27203 affects the ebay-mcp npm package used to expose eBay APIs to MCP-based agents.
• The ebay_set_user_tokens tool updates .env files without sanitizing newlines or quotes.
• Attackers can inject arbitrary environment variables by crafting token values.
• This can overwrite configuration, redirect endpoints, or tamper with credentials consumed by the MCP server.
• The advisory links to a fix commit that hardens the env update logic.
• Downstream agents inherit whatever config the MCP server loads at startup.

Why it matters

• Agent toolchains often assume MCP servers are trusted; env injection breaks that assumption.
• Credential poisoning can quietly reroute API calls or leak data from AI workflows.
• MCP supply chain issues have wide blast radius because many tools share the same servers.

What to do

• Update to the patched release referenced by the advisory and audit .env writes.
• Restrict who can call ebay_set_user_tokens and monitor for unusual env changes.
• Store sensitive MCP configuration in a separate secrets manager where possible.
• Add tests to reject env values containing newlines or quotes.

Sources

• GitLab Advisory — CVE-2026-27203
• GitHub Security Advisory — GHSA-97rm-xj73-33jh
• Fix commit — env update hardening
• NVD — CVE-2026-27203