CVE-2026-27203: eBay API MCP Server Affected by Environment Variable Injection

February 19, 2026 (updated February 23, 2026)

The ebay_set_user_tokens tool allows updating the .env file with new tokens. The updateEnvFile function in src/auth/oauth.ts blindly appends or replaces values without validating them for newlines or quotes. This allows an attacker to inject arbitrary environment variables into the configuration file.

References

github.com/YosefHayim/ebay-mcp
github.com/YosefHayim/ebay-mcp/commit/aab0bda75ea9dd27aa37d0d8524d7cf41b3c4a9a
github.com/YosefHayim/ebay-mcp/security/advisories/GHSA-97rm-xj73-33jh
github.com/advisories/GHSA-97rm-xj73-33jh
nvd.nist.gov/vuln/detail/CVE-2026-27203

Code Behaviors & Features

Detect and mitigate CVE-2026-27203 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →