Description
The ebay_set_user_tokens tool allows updating the .env file with new tokens. The updateEnvFile function in src/auth/oauth.ts blindly appends or replaces values without validating them for newlines or quotes. This allows an attacker to inject arbitrary environment variables into the configuration file.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 1.7.2
References
Related Issues
- yii2-mcp-server has a Command Injection Issue - CVE-2026-7600
- Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
- @yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools - CVE-2026-44895
- next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content - CVE-2026-0969
You might also like:
- Tags:
- npm
- ebay-mcp
Anything's wrong? Let us know Last updated on February 23, 2026