CVE-2026-27735 — MCP Reference Servers git_add Path Traversal

• CVE-2026-27735 affects the MCP reference servers' mcp-server-git component, specifically the git_add tool.
• File paths passed to git_add were not validated against repository boundaries, allowing ../ sequences to stage files outside the intended repository.
• The root cause was use of GitPython's repo.index.add() rather than the Git CLI, which lacks path-boundary enforcement.
• Versions prior to 2026.1.14 are affected; the patched version is available and users are urged to upgrade immediately.
• This is part of a broader pattern of path traversal and input-validation weaknesses across MCP servers, including SSRF, LFI, and credential-theft vectors documented by multiple researchers.
• AI agents connected to MCP servers inherit the server's filesystem access scope — a path traversal in a git tool can expose arbitrary files to an LLM agent.

Why it matters

MCP reference servers are the baseline implementation that many teams use to connect AI agents to version control. A path traversal in git_add means an attacker who can influence agent input (via indirect prompt injection, malicious commit messages, or crafted PR titles) can cause the agent to stage and potentially exfiltrate files from anywhere on the filesystem — not just the repository. Since MCP servers run with the developer's credentials, this also enables repo poisoning at scale.

What to do

• Upgrade mcp-server-git to 2026.1.14 or later immediately.
• Audit all MCP servers in your agent toolchain for path-validation issues — the same pattern likely exists in other reference server components.
• Run MCP servers with the minimum filesystem scope required; use container or sandbox isolation to limit blast radius.
• Review which tools your agents have access to and ensure file-path inputs are sanitized at the protocol level, not just at the tool level.

Sources:

• Startup Fortune — MCP security flaws turning AI infra into supply-chain risk
• MCP Reference Servers (GitHub)