CVE-2026-40576
Path Traversal in excel-mcp-server Allows Remote File Manipulation
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40576 is a critical path traversal vulnerability in the excel-mcp-server Python package versions up to 0.1.7. The vulnerability exists in the function get_excel_path(), which is supposed to restrict file operations to a sandbox directory defined by the EXCEL_FILES_PATH environment variable.
Two independent flaws enable exploitation: first, if the input filename is an absolute path, the function returns it without verifying if it is inside the sandbox, allowing access to any file on the filesystem. Second, for relative paths, the function joins the input with the sandbox path but does not resolve or validate the resulting path, allowing directory traversal sequences like '../' to escape the sandbox.
The server runs by default bound to all network interfaces (0.0.0.0) and uses SSE or Streamable-HTTP transport modes that have no authentication. This allows any unauthenticated attacker on the network to remotely read, write, overwrite, and create arbitrary files and directories on the host filesystem by supplying crafted file path arguments to any of the 25 exposed MCP tool handlers.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including loss of confidentiality, integrity, and availability of the affected system.
- Confidentiality loss: An attacker can read sensitive files anywhere on the host filesystem, including sensitive Excel files or system files like /etc/shadow.
- Integrity loss: An attacker can overwrite or corrupt files by writing arbitrary data outside the intended sandbox.
- Availability loss: An attacker can fill disk space or disrupt normal operations by creating large directory trees or files.
- Potential remote code execution: By planting malicious macro-enabled Excel templates, an attacker could execute code on client machines.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the excel-mcp-server is running in SSE or Streamable-HTTP transport mode and is accessible on the network, especially if it is bound to 0.0.0.0 (all interfaces) without authentication.
To detect exploitation attempts or presence of the vulnerable server, you can monitor network traffic for requests to any of the 25 exposed MCP tool handlers that include suspicious file path arguments, such as absolute paths or relative paths containing traversal sequences like '../'.
Suggested commands to detect the vulnerable server or exploitation attempts include:
- Use netstat or ss to check if excel-mcp-server is listening on network interfaces: netstat -tulnp | grep excel-mcp-server or ss -tulnp | grep excel-mcp-server
- Use curl or similar tools to send crafted requests to the MCP tool handlers and observe responses, for example: curl http://<server-ip>:<port>/mcp_handler?filepath=/etc/passwd
- Monitor logs or network captures (e.g., with tcpdump or Wireshark) for suspicious file path parameters containing absolute paths or '../' sequences targeting the MCP handlers.
- Check the environment variable EXCEL_FILES_PATH and verify if the server is running a vulnerable version (<= 0.1.7).
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade excel-mcp-server to version 0.1.8 or later, where the vulnerability is fixed by enforcing strict sandbox path validation.
If upgrading immediately is not possible, consider the following temporary mitigations:
- Restrict network access to the excel-mcp-server by firewalling or binding the server to localhost or a trusted interface instead of 0.0.0.0.
- Disable or restrict usage of SSE or Streamable-HTTP transport modes that have no authentication.
- Implement network-level authentication or VPN access to limit exposure of the server.
- Monitor and audit file system changes and network requests to detect exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote attackers to read, write, overwrite, and create arbitrary files on the host filesystem, leading to confidentiality, integrity, and availability losses.
Such unauthorized access and manipulation of sensitive files can result in exposure or alteration of personal or protected data, which may violate data protection regulations like GDPR and HIPAA that require strict controls on data confidentiality and integrity.
Additionally, the potential for denial of service and remote code execution increases the risk profile, making compliance with security standards more difficult without applying the fix.