Description

eBay API MCP Server is an open source local MCP server providing AI assistants with comprehensive access to eBay's Sell APIs. All versions are vulnerable to Environment Variable Injection through the updateEnvFile function. The ebay_set_user_tokens tool allows updating the .env file with new tokens. The updateEnvFile function in src/auth/oauth.ts blindly appends or replaces values without validating them for newlines or quotes. This allows an attacker to inject arbitrary environment variables into the configuration file. An attacker can inject arbitrary environment variables into the .env file. This could lead to configuration overwrites, Denial of Service, and potential RCE. There was no fix for this issue at the time of publication.

INFO

Published Date :

2026-02-20T23:30:46.134Z

Last Modified :

2026-02-25T21:29:27.100Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27203 vulnerability.

Vendors Products
Yosefhayim
  • Ebay-mcp
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27203.

URL Resource
https://github.com/YosefHayim/ebay-mcp/commit/aab0bda75ea9dd27aa37d0d8524d7cf41b3c4a9a cve-icon cve-icon
https://github.com/YosefHayim/ebay-mcp/security/advisories/GHSA-97rm-xj73-33jh cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact