CVE-2026-27735: Git Outta Here: Exfiltrating Secrets via CVE-2026-27735

Git Outta Here: Exfiltrating Secrets via CVE-2026-27735 Vulnerability ID: CVE-2026-27735 CVSS Score: 6.4 Published: 2026-02-26 A path traversal vulnerability in the Model Context Protocol (MCP) Git server allows attackers (or confused LLMs) to stage and commit files outside the repository root. By abusing the git_add tool, sensitive host files can be added to the git index and exfiltrated via a push. TL;DR The mcp-server-git tool used an unsafe GitPython method to stage files. It failed to validate paths, allowing ../../ traversal. An attacker can trick the server into committing /etc/shadow or ~/.ssh/id_rsa and pushing them to a public repo. ⚠️ Exploit Status: POC Technical Details CWE ID : CWE-22 (Path Traversal) CVSS v4.0 : 6.4 (Medium) Attack Vector : Network (via MCP) EPSS Score : 0.00046 (~14%) Impact : Confidentiality High (File Exfiltration) Fix Commit : 862e717ff714987bd5577318df09858e14883863 Affected Systems mcp-server-git < 2026.1.14 Model Context Protocol implementations u

CVE-2026-27735: Git Outta Here: Exfiltrating Secrets via CVE-2026-27735

Related Articles

Meta, YouTube must pay $3M to woman who got hooked on apps as a child

What Companies Actually Pay New Grads in 2025

The robot lawn mower I recommend most is $347 off for Amazon's Spring Sale

DB-TASK-Filtering Data

Why Engineering Pushback Is Often Misinterpreted by Product Teams

Related Articles

News
Meta, YouTube must pay $3M to woman who got hooked on apps as a child
Ars Technica • 6d ago

News
What Companies Actually Pay New Grads in 2025
Medium Programming • 6d ago

News
The robot lawn mower I recommend most is $347 off for Amazon's Spring Sale
ZDNet • 6d ago

News
DB-TASK-Filtering Data
Dev.to • 6d ago

News
Why Engineering Pushback Is Often Misinterpreted by Product Teams
Medium Programming • 6d ago