GitLab Advisory — mcp-server-git path traversal (CVE-2026-27735)

AI relevance: MCP Git servers are common agent tools; a path traversal in git_add can let attacker-controlled prompts stage sensitive files for commit/push in AI-driven workflows.

• CVE-2026-27735 impacts mcp-server-git versions prior to 2026.1.14.
• The git_add tool accepted ../ sequences that resolve outside the repository root.
• Root cause: repo.index.add() in GitPython doesn’t enforce working-tree boundary checks on relative paths.
• An attacker can stage arbitrary host files, then trick an agent into committing and pushing them.
• The fix switches to repo.git.add(), which delegates to the Git CLI and rejects out-of-tree paths.

Security impact

Path traversal in a Git MCP server undermines the “repo-only” boundary. Agents that should only access a specific repository can be coerced into reading arbitrary files on the host — SSH keys, environment configs, or local secrets. In agent workflows, a prompt injection can be enough to steer a tool into exfiltrating sensitive host data even if the agent’s normal tasks are innocuous.

Path traversal also creates supply-chain risk: a malicious user can read or overwrite repository metadata (hooks, config), causing downstream CI/CD pipelines to execute attacker-controlled code. For AI agents that trigger builds or commits, the traversal becomes a bridge from “read-only tool” to “execution in CI.”

Mitigation strategy

Patch immediately and treat all file path input as hostile. Enforce path normalization and jail every file operation to a fixed repo root. If the tool must read outside the repo, explicitly allowlist the paths. For CI-integrated agents, ensure the build pipeline runs with restricted tokens and doesn’t execute repo hooks by default.

Why it matters

• Agentic code workflows often automate commit/push; staging arbitrary files turns a prompt into data exfiltration.
• MCP reference servers are frequently reused in production, so this bug can propagate quickly into enterprise toolchains.
• Git tool vulnerabilities compound with filesystem or secrets tools, widening the blast radius.

What to do

• Upgrade: Move to mcp-server-git 2026.1.14+.
• Constrain tool scopes: enforce repo-root allowlists and block absolute paths in tool arguments.
• Sandbox MCP servers: run with least-privilege filesystem access and no secret mounts.

Sources

• GitLab Advisory — CVE-2026-27735
• GitHub Security Advisory — GHSA-vjqx-cfc4-9h6v
• Fix commit
• Patch PR
• NVD entry