CVE-2026-40576
Received Received - Intake
Path Traversal in excel-mcp-server Allows Remote File Manipulation

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode (the documented way to use this server remotely), an unauthenticated attacker on the network can read, write, and overwrite arbitrary files on the host filesystem by supplying crafted filepath arguments to any of the 25 exposed MCP tool handlers. The server is intended to confine file operations to a directory set by the EXCEL_FILES_PATH environment variable. The function responsible for enforcing this boundary β€” get_excel_path() β€” fails to do so due to two independent flaws: it passes absolute paths through without any check, and it joins relative paths without resolving or validating the result. Combined with zero authentication on the default network-facing transport and a default bind address of 0.0.0.0 (all interfaces), this allows trivial remote exploitation. This vulnerability is fixed in 0.1.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40576
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40576 is a critical path traversal vulnerability in the excel-mcp-server Python package versions up to 0.1.7. The vulnerability exists in the function get_excel_path(), which is supposed to restrict file operations to a sandbox directory defined by the EXCEL_FILES_PATH environment variable.

Two independent flaws enable exploitation: first, if the input filename is an absolute path, the function returns it without verifying if it is inside the sandbox, allowing access to any file on the filesystem. Second, for relative paths, the function joins the input with the sandbox path but does not resolve or validate the resulting path, allowing directory traversal sequences like '../' to escape the sandbox.

The server runs by default bound to all network interfaces (0.0.0.0) and uses SSE or Streamable-HTTP transport modes that have no authentication. This allows any unauthenticated attacker on the network to remotely read, write, overwrite, and create arbitrary files and directories on the host filesystem by supplying crafted file path arguments to any of the 25 exposed MCP tool handlers.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to read, write, overwrite, and create arbitrary files on the host filesystem, leading to confidentiality, integrity, and availability losses.

Such unauthorized access and manipulation of sensitive files can result in exposure or alteration of personal or protected data, which may violate data protection regulations like GDPR and HIPAA that require strict controls on data confidentiality and integrity.

Additionally, the potential for denial of service and remote code execution increases the risk profile, making compliance with security standards more difficult without applying the fix.

Impact Analysis

This vulnerability can have severe impacts including loss of confidentiality, integrity, and availability of the affected system.

  • Confidentiality loss: An attacker can read sensitive files anywhere on the host filesystem, including sensitive Excel files or system files like /etc/shadow.
  • Integrity loss: An attacker can overwrite or corrupt files by writing arbitrary data outside the intended sandbox.
  • Availability loss: An attacker can fill disk space or disrupt normal operations by creating large directory trees or files.
  • Potential remote code execution: By planting malicious macro-enabled Excel templates, an attacker could execute code on client machines.
Detection Guidance

This vulnerability can be detected by checking if the excel-mcp-server is running in SSE or Streamable-HTTP transport mode and is accessible on the network, especially if it is bound to 0.0.0.0 (all interfaces) without authentication.

To detect exploitation attempts or presence of the vulnerable server, you can monitor network traffic for requests to any of the 25 exposed MCP tool handlers that include suspicious file path arguments, such as absolute paths or relative paths containing traversal sequences like '../'.

Suggested commands to detect the vulnerable server or exploitation attempts include:

  • Use netstat or ss to check if excel-mcp-server is listening on network interfaces: netstat -tulnp | grep excel-mcp-server or ss -tulnp | grep excel-mcp-server
  • Use curl or similar tools to send crafted requests to the MCP tool handlers and observe responses, for example: curl http://<server-ip>:<port>/mcp_handler?filepath=/etc/passwd
  • Monitor logs or network captures (e.g., with tcpdump or Wireshark) for suspicious file path parameters containing absolute paths or '../' sequences targeting the MCP handlers.
  • Check the environment variable EXCEL_FILES_PATH and verify if the server is running a vulnerable version (<= 0.1.7).
Mitigation Strategies

The immediate and recommended mitigation step is to upgrade excel-mcp-server to version 0.1.8 or later, where the vulnerability is fixed by enforcing strict sandbox path validation.

If upgrading immediately is not possible, consider the following temporary mitigations:

  • Restrict network access to the excel-mcp-server by firewalling or binding the server to localhost or a trusted interface instead of 0.0.0.0.
  • Disable or restrict usage of SSE or Streamable-HTTP transport modes that have no authentication.
  • Implement network-level authentication or VPN access to limit exposure of the server.
  • Monitor and audit file system changes and network requests to detect exploitation attempts.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40576. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart