The vulnerability identified as CVE-2026-27735 affects the modelcontextprotocol servers, specifically versions prior to 2026.1.14. The issue lies in the git_add tool, which is responsible for adding files to a Git repository index. Instead of using the Git command-line interface, the tool uses GitPython's repo.index.add() method. This method does not inherently validate that file paths provided are confined within the repository boundaries. Consequently, an attacker can supply file paths containing relative directory traversal sequences such as '../' that resolve outside the intended repository directory. This improper limitation of pathname (CWE-22) allows files outside the repository scope to be staged into the Git index. Since the vulnerability does not require authentication or privileges but does require user interaction, an attacker could trick a user into adding unintended files, potentially leading to unauthorized file inclusion or manipulation within the repository context. The vulnerability has a CVSS 4.0 base score of 6.4 (medium severity), reflecting its network attack vector, low attack complexity, no privileges required, but requiring user interaction and having a high scope impact. No known exploits have been reported in the wild as of the publication date. The recommended remediation is to upgrade to version 2026.1.14 or newer, where proper path validation has been implemented to restrict file additions strictly within repository boundaries.

The primary impact of this vulnerability is the potential unauthorized staging of files outside the intended Git repository boundaries. This can lead to several risks: inclusion of sensitive or unintended files into the repository index, which might be committed or pushed to remote repositories; possible manipulation or corruption of repository state; and potential exposure of sensitive data if out-of-scope files are inadvertently shared. For organizations relying on modelcontextprotocol servers for managing Git repositories, this could undermine the integrity and confidentiality of their source code and related assets. While the vulnerability does not directly allow remote code execution or privilege escalation, the ability to stage arbitrary files can be leveraged in complex attack chains, especially in environments with automated CI/CD pipelines or code review processes. The requirement for user interaction limits mass exploitation but targeted attacks against developers or repository maintainers remain a concern. Overall, the vulnerability poses a moderate risk to organizations using affected versions, particularly those with sensitive or critical codebases.

To mitigate this vulnerability, organizations should immediately upgrade all instances of modelcontextprotocol servers to version 2026.1.14 or later, where the path traversal issue is fixed. Additionally, organizations should implement the following specific measures: 1) Enforce strict input validation on any tools or scripts interacting with GitPython or similar libraries to ensure file paths do not escape repository boundaries. 2) Employ repository access controls and monitoring to detect unusual staging or commit activities, especially involving files outside expected directories. 3) Educate developers and users about the risks of accepting or executing untrusted inputs that may trigger path traversal. 4) Integrate automated security scanning in CI/CD pipelines to detect anomalous file additions or repository state changes. 5) Where feasible, restrict usage of GitPython's repo.index.add() in favor of the Git CLI or other tools that enforce path restrictions. 6) Maintain up-to-date backups and audit logs to facilitate incident response in case of exploitation. These targeted mitigations complement the upgrade and reduce the risk of exploitation in complex environments.