CVE-2026-27203
Received Received - Intake
Environment Variable Injection in eBay MCP Server Enables RCE

Publication date: 2026-02-21

Last updated on: 2026-02-21

Assigner: GitHub, Inc.

Description
eBay API MCP Server is an open source local MCP server providing AI assistants with comprehensive access to eBay's Sell APIs. All versions are vulnerable to Environment Variable Injection through the updateEnvFile function. The ebay_set_user_tokens tool allows updating the .env file with new tokens. The updateEnvFile function in src/auth/oauth.ts blindly appends or replaces values without validating them for newlines or quotes. This allows an attacker to inject arbitrary environment variables into the configuration file. An attacker can inject arbitrary environment variables into the .env file. This could lead to configuration overwrites, Denial of Service, and potential RCE. There was no fix for this issue at the time of publication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-02-21
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27203
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ebay ebay_set_user_tokens 1.7.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-15 One or more system settings or configuration elements can be externally controlled by a user.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

I don't know

Executive Summary

CVE-2026-27203 is a vulnerability in the ebay_set_user_tokens tool of the eBay API MCP Server. The issue lies in the updateEnvFile function, which updates the .env configuration file by appending or replacing environment variable values without validating inputs for special characters like newlines or quotes.

This lack of input validation allows an attacker to inject arbitrary environment variables into the .env file, potentially leading to configuration overwrites, Denial of Service (DoS), and even Remote Code Execution (RCE).

Impact Analysis

The vulnerability can have several serious impacts:

  • Configuration Overwrites: Attackers can overwrite critical environment variables such as EBAY_REDIRECT_URI, potentially hijacking OAuth authentication flows.
  • Denial of Service (DoS): Injecting malformed or invalid configuration data can prevent the server from starting.
  • Potential Remote Code Execution (RCE): In certain environments, controlling environment variables like NODE_OPTIONS can lead to execution of arbitrary code.
Mitigation Strategies

To mitigate the vulnerability in the ebay_set_user_tokens tool, you should avoid using the vulnerable updateEnvFile function that blindly appends or replaces environment variables without validation.

A safer approach involves updating the environment variable management to use structured parsing and stringification libraries such as dotenv and dotenv-stringify, which securely handle environment variables and prevent injection.

Specifically, the updateEnvFile function should be refactored to:

  • Parse the existing .env file into an object using dotenv.parse()
  • Merge incoming updates safely into the existing environment object
  • Convert the merged environment object back into a properly formatted .env string using dotenv-stringify
  • Write the updated .env file atomically to avoid partial writes

Additionally, ensure that OAuth tokens are loaded exclusively from environment variables rather than code or logs to improve security.

Since no fixed version was available at the time of reporting, manual review and correction of the .env file to remove any injected variables is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27203. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart