CVE-2026-27203

Name of the Vulnerable Software and Affected Versions eBay API MCP Server (all versions)

Description An environment variable injection issue exists in the updateEnvFile function located in src/auth/oauth.ts. The ebay set user tokens tool allows updating the .env file with new tokens, but the updateEnvFile function appends or replaces values without validating them for quotes or newlines. This lack of sanitization enables an attacker to inject arbitrary environment variables into the configuration file. Potential impacts include configuration overwrites, such as hijacking OAuth flows by modifying EBAY REDIRECT URI, Denial of Service by injecting invalid configurations, and Remote Code Execution (RCE) by controlling variables like NODE OPTIONS.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the ebay set user tokens tool and the updateEnvFile function to minimize the risk of exploitation.