criticalMCP server·

AGS-2026-0009

Anthropic Git MCP server — three flaws enabling file access + RCE (CVE-2025-68143/68144/68145)

What happened

In January 2026, three vulnerabilities were disclosed in mcp-server-git, the official Anthropic-maintained Git MCP server:

  • CVE-2025-68143: arbitrary file read via crafted Git command.
  • CVE-2025-68144: arbitrary file delete via path-traversal in resource handling.
  • CVE-2025-68145: code execution under certain conditions.

All three are exploitable via prompt injection — the attacker doesn't need direct MCP access; they just need to influence content the agent will read.

Self-check

AgentGuard subscribers receive this advisory automatically and their local guard runs the inspection below.

References