Vulnerability Description
Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2026.1.14, the git_add tool did not validate that file paths provided in the files argument were within the repository boundaries. Because the tool used GitPython's repo.index.add() rather than the Git CLI, relative paths containing `../` sequences that resolve outside the repository were accepted and staged into the Git index. Users are advised to upgrade to 2026.1.14 or newer to remediate this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lfprojects | Model Context Protocol Servers | < 2026.1.14 |
Related Weaknesses (CWE)
References
- https://github.com/modelcontextprotocol/servers/pull/3164Issue TrackingPatch
- https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-vjqx-cfPatchVendor Advisory
FAQ
What is CVE-2026-27735?
CVE-2026-27735 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). In mcp-server-git versions prior to 2026.1.14, the git_add tool did not validate that ...
How severe is CVE-2026-27735?
CVE-2026-27735 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27735?
Check the references section above for vendor advisories and patch information. Affected products include: Lfprojects Model Context Protocol Servers.