CVE-2026-27735
mcp-server-git : Path traversal in git_add allows staging files outside repository boundaries
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2026.1.14, the git_add tool did not validate that file paths provided in the files argument were within the repository boundaries. Because the tool used GitPython's repo.index.add() rather than the Git CLI, relative paths containing `../` sequences that resolve outside the repository were accepted and staged into the Git index. Users are advised to upgrade to 2026.1.14 or newer to remediate this issue.
| CWE | CWE-22 |
| Vendor | modelcontextprotocol |
| Product | servers |
| Published | Feb 25, 2026 |
| Last Updated | Feb 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for modelcontextprotocol servers
Be the first to know when new unknown vulnerabilities affecting modelcontextprotocol servers are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
modelcontextprotocol / servers
< 2026.1.14