CVE-2026-27735

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-27735

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27735.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-27735

Aliases

GHSA-vjqx-cfc4-9h6v

Published

2026-02-25T23:45:52.077Z

Modified

2026-02-26T19:35:11.064907Z

Severity

6.4 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N CVSS Calculator

Summary

mcp-server-git : Path traversal in git_add allows staging files outside repository boundaries

Details

Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2026.1.14, the git_add tool did not validate that file paths provided in the files argument were within the repository boundaries. Because the tool used GitPython's repo.index.add() rather than the Git CLI, relative paths containing ../ sequences that resolve outside the repository were accepted and staged into the Git index. Users are advised to upgrade to 2026.1.14 or newer to remediate this issue.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27735.json"
}

References

Affected packages

Git / github.com/modelcontextprotocol/servers

Affected ranges

Type

GIT

Repo

https://github.com/modelcontextprotocol/servers

Events

Introduced

Fixed

3e805376da81c063c2798410906b5fd134334a43

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2026.1.14"
        }
    ]
}

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27735.json"