Anthropic MCP Git Server Vulnerability: AI Supply Chain at Risk (2026)
Executive Summary
In January 2026, three critical vulnerabilities were disclosed in Anthropic's official Model Context Protocol (MCP) Git server, a tool widely used for managing Git repositories programmatically via large language models (LLMs). The flaws—identified as CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145—included two path traversal and one argument injection vulnerabilities. Attackers could exploit these bugs through prompt injection via malicious content (e.g., README files, poisoned issue descriptions) to access or overwrite arbitrary files and achieve remote code execution, without needing direct access to victim systems. Chained exploitation with Filesystem MCP enabled full system compromise until patched in late 2025.
This incident highlights growing risks at the intersection of AI-driven development, supply chain dependencies, and insufficient input validation within reference implementations. As organizations increasingly rely on open-source AI tooling, securing both the application layer and its automation becomes vital in defending against evolving prompt-based and supply chain exploitation.
Why This Matters Now
Prompt injection and supply chain vulnerabilities in reference AI model servers pose immediate threats to the broader ecosystem, especially as these toolchains become widely adopted and trusted by default. Fast-moving AI development is amplifying such risks, making robust input validation and secure-by-design practices urgent to defend against unintentional exposure and remote code execution.
Attack Path Analysis
The attacker initiates the attack by leveraging prompt injection in AI-assisted tooling to exploit unpatched vulnerabilities in the Anthropic MCP Git server. Following compromise, the attacker escalates privileges by exploiting argument injection and path traversal to gain unauthorized access and manipulate files. They pivot laterally to other repositories and MCP server instances by exploiting misconfigurations and chaining access. The adversary establishes command and control using persistent Git filters to enable remote code execution. Data and secrets are potentially exfiltrated by accessing or deleting files or repositories. Finally, the impact is realized as code execution, deletion of data, and potential disruption to development workflows.
Kill Chain Progression
Initial Compromise
Description
The attacker abuses prompt injection (e.g., malicious README or poisoned issue) to trigger the vulnerable git_init functionality in the target AI-integrated MCP Git server, starting the attack without direct access.
Related CVEs
CVE-2025-68143
CVSS 6.5A path traversal vulnerability in mcp-server-git versions prior to 2025.9.25 allows arbitrary filesystem paths to be used during repository creation without validation, potentially enabling unauthorized access to directories.
Affected Products:
Anthropic mcp-server-git – < 2025.9.25
Exploit Status:
no public exploitCVE-2025-68144
CVSS 6.3An argument injection vulnerability in mcp-server-git versions prior to 2025.12.17 allows user-controlled arguments to be passed directly to git CLI commands without sanitization, potentially enabling arbitrary file overwrites.
Affected Products:
Anthropic mcp-server-git – < 2025.12.17
Exploit Status:
no public exploitCVE-2025-68145
CVSS 6.4A path traversal vulnerability in mcp-server-git versions prior to 2025.12.17 allows operations on repositories outside the configured path when using the --repository flag without proper validation.
Affected Products:
Anthropic mcp-server-git – < 2025.12.17
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: Python
Exploitation for Defense Evasion
Data Manipulation: Stored Data Manipulation
Hijack Execution Flow: DLL Side-Loading
Data Destruction
Process Injection
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Address Common Coding Vulnerabilities
Control ID: 6.5.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management – Secure Development
Control ID: Article 9(2)(c)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Software Supply Chain Security
Control ID: Applications - Secure Software Development
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(c)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Anthropic MCP Git server vulnerabilities enable prompt injection attacks targeting AI development workflows, compromising source code repositories and enabling remote code execution.
Information Technology/IT
Supply-chain vulnerabilities in MCP servers create path traversal and argument injection risks, threatening Git repository integrity and system security controls.
Computer/Network Security
Security firms using AI-assisted code analysis face exposure to weaponized prompt injection attacks that bypass traditional perimeter defenses and segmentation controls.
Financial Services
Banking institutions leveraging AI development tools risk compliance violations through CVE-2025-68143/44/45 exploits targeting encrypted traffic and zero trust architecture weaknesses.
Sources
- Three Flaws in Anthropic MCP Git Server Enable File Access and Code Executionhttps://thehackernews.com/2026/01/three-flaws-in-anthropic-mcp-git-server.htmlVerified
- CVE-2025-68143 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-68143Verified
- CVE-2025-68144 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-68144Verified
- CVE-2025-68145 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-68145Verified
- GHSA-5cgr-j3jf-jw3vhttps://github.com/modelcontextprotocol/servers/security/advisories/GHSA-5cgr-j3jf-jw3vVerified
- GHSA-9xwc-hfwc-8w59https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-9xwc-hfwc-8w59Verified
- GHSA-j22h-9j4x-23w5https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-j22h-9j4x-23w5Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Robust Zero Trust Segmentation, egress policy enforcement, and inline controls could have contained or blocked attacker actions across privilege escalation, lateral movement, and exfiltration phases in this supply-chain attack. Applying cloud-native prevention and visibility would have significantly limited propagation and sensitive data exposure.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline behavioral controls prevent unauthorized resource initialization and logic abuse.
Control: Zero Trust Segmentation
Mitigation: Workload identity segmentation blocks elevated access paths to sensitive file locations.
Control: East-West Traffic Security
Mitigation: Lateral movement is limited by controlling inter-workload traffic.
Control: Multicloud Visibility & Control
Mitigation: Anomalous connections and suspicious automation are quickly detected and alerted.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data exfiltration attempts are prevented to unauthorized destinations.
Exploit payloads and destructive commands are detected and blocked in real time.
Impact at a Glance
Affected Business Functions
- Software Development
- Version Control
Estimated downtime: 3 days
Estimated loss: $50,000
Potential unauthorized access to source code repositories and sensitive configuration files.
Recommended Actions
Key Takeaways & Next Steps
- • Rapidly patch all MCP Git server instances and apply vendor-provided updates to address discovered vulnerabilities.
- • Implement granular Zero Trust Segmentation policies to confine AI-integrated workloads and restrict file system manipulation across service boundaries.
- • Enforce strict east-west and egress controls, leveraging policy enforcement to prevent unauthorized internal movement and outbound data flows.
- • Deploy real-time Multicloud Visibility and inline IPS tools for anomaly detection and to monitor for exploit attempts tied to known CVEs.
- • Integrate automated behavioral controls and continuous monitoring to identify suspicious automation or prompt injection events across AI-augmented developer environments.
