{"id":229449,"date":"2026-01-21T01:36:40","date_gmt":"2026-01-21T07:36:40","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/01\/three-flaws-in-anthropic-mcp-git-server-enable-file-access-and-code-execution"},"modified":"2026-01-21T01:36:40","modified_gmt":"2026-01-21T07:36:40","slug":"three-flaws-in-anthropic-mcp-git-server-enable-file-access-and-code-execution","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/01\/three-flaws-in-anthropic-mcp-git-server-enable-file-access-and-code-execution","title":{"rendered":"Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/three-flaws-in-anthropic-mcp-git-server-enable-file-access-and-code-execution.jpg\"><\/a><\/p>\n<p>A set of three security vulnerabilities has been disclosed in <a href=\"https:\/\/pypi.org\/project\/mcp-server-git\/\" rel=\"noopener\" target=\"_blank\">mcp-server-git<\/a>, the official Git Model Context Protocol (<a href=\"https:\/\/github.com\/modelcontextprotocol\/servers\" rel=\"noopener\" target=\"_blank\">MCP<\/a>) server maintained by Anthropic, that could be exploited to read or delete arbitrary files and execute code under certain conditions.<\/p>\n<p>\u201cThese flaws can be exploited through prompt injection, meaning an attacker who can influence what an AI assistant reads (a malicious README, a poisoned issue description, a compromised webpage) can weaponize these vulnerabilities without any direct access to the victim\u2019s system,\u201d Cyata researcher Yarden Porat <a href=\"https:\/\/cyata.ai\/blog\/cyata-research-breaking-anthropics-official-mcp-server\/\" rel=\"noopener\" target=\"_blank\">said<\/a> in a report shared with The Hacker News.<\/p>\n<p>Mcp-server-git is a Python package and an MCP server that provides a set of built-in tools to read, search, and manipulate Git repositories programmatically via large language models (LLMs).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A set of three security vulnerabilities has been disclosed in mcp-server-git, the official Git Model Context Protocol (MCP) server maintained by Anthropic, that could be exploited to read or delete arbitrary files and execute code under certain conditions. \u201cThese flaws can be exploited through prompt injection, meaning an attacker who can influence what an AI [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,1492],"tags":[],"class_list":["post-229449","post","type-post","status-publish","format-standard","hentry","category-robotics-ai","category-security"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/229449","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=229449"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/229449\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=229449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=229449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=229449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}