Excel MCP server path traversal (CVE-2026-40576)

Patch now - CVE-2026-40576 is a critical path-traversal vulnerability in excel-mcp-server versions up to 0.1.7 that lets unauthenticated network attackers read, write, or overwrite arbitrary files on the host filesystem. Update to version 0.1.8 or restrict network access immediately.

Overview

A path traversal vulnerability in excel-mcp-server, a Model Context Protocol server for Excel file manipulation, allows unauthenticated network attackers to read, write, and overwrite arbitrary files on the host filesystem. The flaw affects all versions up to and including 0.1.7. The server is intended to restrict file access to a directory specified by the EXCEL_FILES_PATH environment variable, but the get_excel_path() function contains two independent bypass mechanisms.

Vulnerability Details

The get_excel_path() function fails to enforce the directory boundary in two ways:

• It passes absolute paths through without any validation
• It joins relative paths without resolving or checking the result

This means any of the 25 exposed MCP tool handlers can accept a crafted filepath argument that escapes the intended directory. When the server runs in SSE or Streamable-HTTP transport mode (the default remote deployment configuration), the server binds to 0.0.0.0 with no authentication required. An attacker on the network can supply filepath values such as /etc/passwd or ../../../etc/shadow to read, write, or overwrite arbitrary files.

Impact

Successful exploitation gives an attacker the ability to:

• Read sensitive files (configuration files, credentials, application data)
• Write or overwrite files (modify system configurations, plant malicious scripts)
• Potentially achieve further lateral movement or privilege escalation on the host

The CVSS score of 9.4 (Critical) reflects the low attack complexity, no required privileges, and no user interaction needed.

Affected Versions

All versions of excel-mcp-server from initial release through version 0.1.7 are vulnerable.

Remediation

Update to excel-mcp-server version 0.1.8, which contains the fix for this vulnerability. If immediate patching is not possible, consider these mitigations:

• Restrict network access to the server using firewall rules
• Do not expose the server on untrusted networks
• Run the server with minimal filesystem permissions
• Monitor logs for suspicious filepath arguments

Related Reading

For broader context on similar vulnerabilities in AI frameworks, see LangChain, LangGraph Flaws Expose Files, Secrets. For the latest on exploited vulnerabilities tracked by CISA, see CISA adds 8 exploited flaws to KEV catalog, sets deadli.

Security Insight

This vulnerability highlights a recurring pattern in AI-adjacent infrastructure: model context protocol servers often expose file system access through tool handlers, yet fail to implement proper path validation. The fact that 25 separate handlers all share a flawed path-checking function suggests a systemic lack of security review in the codebase rather than an isolated oversight. Projects building on MCP or similar agent frameworks should treat every file-access handler as a potential remote file system bridge and audit path validation logic independently.

Further Reading

• CISA adds 8 exploited flaws to KEV catalog, sets deadli
• LangChain, LangGraph Flaws Expose Files, Secrets,
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs