REPRO-2026-00115 CRITICAL RCE Verified

eBay MCP Server Environment Variable Injection via Crafted Prompts

@anthropic-ai/ebay-mcp-server (npm) Feb 20, 2026

Open in Codespaces Download Script

Confidence HIGH

Reproduced in 11m 39s

Tool calls 114

Affected <= 1.7.2

What's the vulnerability?

An attacker can inject arbitrary environment variables into the .env file. This could lead to:

Configuration Overwrites: Attackers can overwrite critical settings like EBAY_REDIRECT_URI to hijack OAuth flows.
Denial of Service: Injecting invalid configuration can prevent the server from starting.
Potential RCE: In some environments, controlling environment variables (like NODE_OPTIONS) can lead to Remote Code Execution.

Found with MCPwner 🕶

Root Cause Analysis

One Command

Verify with pruva-verify

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00115

or pruva-verify GHSA-97rm-xj73-33jh

or pruva-verify CVE-2026-27203

Install: curl -fsSL https://pruva.dev/install.sh | sh

Or Run Manually

1

Download the script

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00115/artifacts/repro/reproduction_steps.sh

2

Make executable

chmod +x reproduction_steps.sh

3

Run the script

./reproduction_steps.sh

Run in a VM, container, or disposable environment. This exploits a real vulnerability.

How Pruva Reproduced This

Watch the AI agent's step-by-step process.

Loading session...

Artifacts

repro/rca_report.md5.2 KB

repro/reproduction_steps.sh3.9 KB

bundle/ticket.json6.1 KB

bundle/ticket.md1.7 KB

bundle/source.json3.9 KB

logs/variant_test.log2.5 KB

logs/reproduction_output.log1.0 KB