What is the CVSS score of CVE-2026-40576?

CVE-2026-40576 has a CVSS 3.1 base score of 9.4 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of excel-mcp-server are affected by CVE-2026-40576?

excel-mcp-server versions 0.1.7 and earlier contain a critical remote file access vulnerability that allows unauthenticated attackers to read, write, and delete arbitrary files on affected servers.. A patch is available.

How to fix or mitigate CVE-2026-40576?

Within 24 hours: Identify all systems running excel-mcp-server ≤0.1.7 using network inventory or package management tools; isolate or air-gap affected instances if immediate patching is not feasible. Within 7 days: Upgrade all instances to version 0.1.8 or later; verify successful deployment and restart affected services. Within 30 days: Conduct filesystem access audit on affected servers to detect unauthorized file modifications; review server logs for suspicious path traversal patterns; implement network segmentation to restrict access to excel-mcp-server instances to authorized internal networks only.

excel-mcp-server CVE-2026-40576

EUVD-2026-24177 CRITICAL

Path Traversal (CWE-22)

2026-04-21 GitHub_M

GHSA-j98m-w3xp-9f56

Path Traversal

9.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 21:22 vuln.today

cvss_changed

Patch released

Apr 22, 2026 - 21:17 nvd

Patch available

Apr 21, 2026 - 18:01 EUVD

Analysis Generated

Apr 21, 2026 - 17:34 vuln.today

EUVD ID Assigned

Apr 21, 2026 - 17:00 euvd

EUVD-2026-24177

Analysis Generated

Apr 21, 2026 - 17:00 vuln.today

CVE Published

Apr 21, 2026 - 16:35 nvd

CRITICAL 9.4

DescriptionNVD

excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode (the documented way to use this server remotely), an unauthenticated attacker on the network can read, write, and overwrite arbitrary files on the host filesystem by supplying crafted filepath arguments to any of the 25 exposed MCP tool handlers. The server is intended to confine file operations to a directory set by the EXCEL_FILES_PATH environment variable. The function responsible for enforcing this boundary - get_excel_path() - fails to do so due to two independent flaws: it passes absolute paths through without any check, and it joins relative paths without resolving or validating the result. Combined with zero authentication on the default network-facing transport and a default bind address of 0.0.0.0 (all interfaces), this allows trivial remote exploitation. This vulnerability is fixed in 0.1.8.

AnalysisAI

Remote unauthenticated path traversal in excel-mcp-server versions ≤0.1.7 allows network attackers to read, write, and overwrite arbitrary files on the host filesystem. The server's get_excel_path() function fails to validate file paths in two ways: it passes absolute paths without checking boundaries and joins relative paths without resolving traversal sequences. …

RemediationAI

Within 24 hours: Identify all systems running excel-mcp-server ≤0.1.7 using network inventory or package management tools; isolate or air-gap affected instances if immediate patching is not feasible. Within 7 days: Upgrade all instances to version 0.1.8 or later; verify successful deployment and restart affected services. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-40576 vulnerability details – vuln.today

Back