eBay API MCP Server Environment Variable Injection Vulnerability

Vulnerability

A vulnerability allowing environment variable injection has been identified in eBay API MCP Server, all versions. The issue arises in the 'updateEnvFile' function, which appends or replaces values in the .env file without proper validation. This flaw can be exploited using the 'ebay_set_user_tokens' tool, leading to unauthorized modifications of environment variables. Such injections could overwrite critical configuration settings, cause a denial-of-service by disrupting server operations, and in some cases, potentially allow remote code execution by manipulating certain environment variables.

Impact

Exploitation of this vulnerability allows for arbitrary injection of environment variables into the .env file, leading to configuration overwrites, denial-of-service conditions, and in some environments, remote code execution.

Added: Feb 21, 2026, 12:18 AM

Updated: Feb 21, 2026, 12:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.9

remediation

0.0

relevance

3.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.9

remediation

0.0

relevance

3.3

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

eBay API MCP Server Environment Variable Injection Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating