CVE-2026-27203 in ebay-mcpinfo

Zusammenfassung

von MITRE • 21.02.2026

eBay API MCP Server is an open source local MCP server providing AI assistants with comprehensive access to eBay's Sell APIs. All versions are vulnerable to Environment Variable Injection through the updateEnvFile function. The ebay_set_user_tokens tool allows updating the .env file with new tokens. The updateEnvFile function in src/auth/oauth.ts blindly appends or replaces values without validating them for newlines or quotes. This allows an attacker to inject arbitrary environment variables into the configuration file. An attacker can inject arbitrary environment variables into the .env file. This could lead to configuration overwrites, Denial of Service, and potential RCE. There was no fix for this issue at the time of publication.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub M

Reservieren

18.02.2026

Veröffentlichung

21.02.2026

Moderieren

akzeptiert

Eintrag

VDB-347248

CPE

bereit

CWE

CWE-15 (bestätigt)

CVSS

8.3 (CNA)

EPSS

0.00021

KEV

nein

Aktivitäten

very low

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-27203
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-27203
CVE Details	https://www.cvedetails.com/cve/CVE-2026-27203/

◂ Zurück Übersicht Weiter ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!