Git Happens: MCP Flaws Open Door to Code Execution

Key Takeaways

• Three vulnerabilities were disclosed in Anthropic’s official MCP Git server
• Exploitation relied on prompt injection and unsafe tool invocation
• File access and remote code execution were possible in chained attacks
• The issue highlights emerging risks in AI agent and MCP ecosystems

Anthropic MCP Git Server Vulnerabilities Exposed

In January 2026, researchers disclosed three security flaws in Anthropic’s official MCP Git server that allowed attackers to abuse AI-driven tool calls. The vulnerabilities enabled unauthorized file access and, in certain chained scenarios, remote code execution. The incident demonstrates how AI agent frameworks and MCP tooling expand the attack surface beyond traditional application boundaries, increasing risk across AI-enabled development environments. Reporting by The Hacker News and SecurityWeek highlighted the broader implications for AI infrastructure security.

What Happened

In mid-January 2026, security researchers revealed three vulnerabilities affecting mcp-server-git, Anthropic’s open source Git server designed for use with the Model Context Protocol. MCP allows large language models to interact with tools such as Git repositories, enabling AI-assisted development workflows. According to public disclosures, the vulnerabilities were present in default configurations of the MCP Git server and could be triggered through crafted inputs delivered to the connected language model.

Anthropic released fixes across multiple versions of the server after coordinated disclosure. The flaws were reported publicly after patches became available, following standard responsible disclosure practices. Analysis published by SiliconANGLE confirmed that exploitation did not require direct system access, only the ability to influence model inputs processed by MCP-enabled tools.

The incident did not involve a confirmed breach of Anthropic systems, but it exposed systemic risks in AI agent architectures where models can invoke powerful tools without sufficient guardrails.

What are Potential Risks

The vulnerabilities stemmed from insufficient validation of inputs passed from the language model to underlying Git commands. Researchers demonstrated that prompt injection could manipulate MCP tool calls, allowing attackers to specify unauthorized file paths and unsafe command arguments. These weaknesses combined traditional security issues such as path traversal and argument injection with AI-specific risks tied to autonomous tool execution.

In some attack chains, adversaries were able to create or modify Git configuration files and trigger command execution through legitimate Git operations. The AI model effectively acted as an unwitting intermediary, executing attacker-controlled instructions via MCP. This behavior underscores how AI systems differ from traditional applications, as model reasoning and autonomy can amplify the impact of otherwise familiar vulnerabilities.

The incident illustrates how AI agent ecosystems introduce new trust boundaries that are often poorly defined or enforced.

Why It Matters

This incident highlights a growing class of AI supply chain and agent security risks. MCP servers often run in developer environments with access to source code, credentials, and internal systems. Unauthorized file access or code execution in these contexts could lead to intellectual property theft, data exposure, or lateral movement into enterprise networks.

More broadly, the issue reinforces concerns about AI governance and risk management. As organizations adopt AI agents that can interact with tools and infrastructure, failures in input validation and policy enforcement can have outsized consequences. The vulnerabilities raise questions about alignment with emerging frameworks such as the NIST AI Risk Management Framework and forthcoming AI regulations that emphasize secure deployment and oversight.

For enterprises, the incident serves as a warning that AI tooling must be treated as part of the core attack surface, not as a peripheral development aid.

PointGuard AI Perspective

The Anthropic MCP Git server vulnerabilities illustrate why AI security must extend beyond models to include the full AI application and toolchain ecosystem. PointGuard AI helps organizations identify and manage these risks through continuous visibility into AI components, dependencies, and execution paths. By maintaining an AI software bill of materials, PointGuard AI enables teams to understand which models, tools, and integrations are in use and where vulnerabilities may emerge.

PointGuard AI also enforces policy controls around how AI systems interact with sensitive tools and data, reducing the likelihood that prompt injection or unsafe model behavior can trigger high-impact actions. Continuous risk monitoring helps detect abnormal AI activity patterns, including unexpected tool usage that may indicate exploitation attempts.

As AI agents become more autonomous, proactive governance and security controls are essential for trustworthy adoption. PointGuard AI supports organizations in securing AI-driven workflows while enabling innovation without exposing critical systems to unnecessary risk.

Learn more at PointGuard AI Platform Overview, AI Supply Chain Security, and AI Risk Management.

Incident Scorecard Details

Total AISSI Score: 7.2/10

Criticality = 8.0, File access and potential code execution risks, AISSI weighting: 25%

Propagation = 7.0, Vulnerabilities affect MCP-enabled environments broadly, AISSI weighting: 20%

Exploitability = 7.5, Prompt injection and tool misuse lower attack barriers, AISSI weighting: 15%

Supply Chain = 8.0, Impacts open source AI tooling dependencies, AISSI weighting: 15%

Business Impact = 6.0, Risk to source code, credentials, and development environments, AISSI weighting: 25%

Sources

• The Hacker News: Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution
• SecurityWeek: Anthropic MCP Server Flaws Lead to Code Execution and Data Exposure
• SiliconANGLE: Anthropic MCP Git Server Hit by Chained Vulnerabilities