Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
8.3

eBay API MCP Server: Environment Variable Injection Risk

CVE-2026-27203 GHSA-97rm-xj73-33jh
Summary

A security flaw in the eBay API MCP server allows an attacker to inject malicious environment variables into the configuration file, which could lead to configuration overwrites, denial of service, or even remote code execution. This issue requires immediate attention, and affected users should update their server to prevent exploitation. Upgrade the eBay API MCP server to the latest version to resolve this vulnerability.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software
VendorProductAffected versionsFix available
GitHub Actions ebay-mcp <= 1.7.2
Original title
eBay API MCP Server Affected by Environment Variable Injection
Original description
The `ebay_set_user_tokens` tool allows updating the `.env` file with new tokens. The `updateEnvFile` function in `src/auth/oauth.ts` blindly appends or replaces values without validating them for newlines or quotes. This allows an attacker to inject arbitrary environment variables into the configuration file.

### Impact
An attacker can inject arbitrary environment variables into the `.env` file. This could lead to:
- **Configuration Overwrites**: Attackers can overwrite critical settings like `EBAY_REDIRECT_URI` to hijack OAuth flows.
- **Denial of Service**: Injecting invalid configuration can prevent the server from starting.
- **Potential RCE**: In some environments, controlling environment variables (like `NODE_OPTIONS`) can lead to Remote Code Execution.

Found with [MCPwner](https://github.com/Pigyon/MCPwner) 🕶
nvd CVSS3.1 8.3
Vulnerability type
CWE-15
CWE-74 Injection
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026