Skip to main content

excel-mcp-server CVE-2026-40576

| EUVDEUVD-2026-24177 CRITICAL
Path Traversal (CWE-22)
2026-04-21 GitHub_M GHSA-j98m-w3xp-9f56
9.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.4 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

7
Re-analysis Queued
Apr 22, 2026 - 21:22 vuln.today
cvss_changed
Patch released
Apr 22, 2026 - 21:17 nvd
Patch available
Patch available
Apr 21, 2026 - 18:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:34 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:00 euvd
EUVD-2026-24177
Analysis Generated
Apr 21, 2026 - 17:00 vuln.today
CVE Published
Apr 21, 2026 - 16:35 nvd
CRITICAL 9.4

DescriptionGitHub Advisory

excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode (the documented way to use this server remotely), an unauthenticated attacker on the network can read, write, and overwrite arbitrary files on the host filesystem by supplying crafted filepath arguments to any of the 25 exposed MCP tool handlers. The server is intended to confine file operations to a directory set by the EXCEL_FILES_PATH environment variable. The function responsible for enforcing this boundary - get_excel_path() - fails to do so due to two independent flaws: it passes absolute paths through without any check, and it joins relative paths without resolving or validating the result. Combined with zero authentication on the default network-facing transport and a default bind address of 0.0.0.0 (all interfaces), this allows trivial remote exploitation. This vulnerability is fixed in 0.1.8.

AnalysisAI

Remote unauthenticated path traversal in excel-mcp-server versions ≤0.1.7 allows network attackers to read, write, and overwrite arbitrary files on the host filesystem. The server's get_excel_path() function fails to validate file paths in two ways: it passes absolute paths without checking boundaries and joins relative paths without resolving traversal sequences. With default configuration binding to 0.0.0.0 (all network interfaces) and no authentication on SSE/Streamable-HTTP transport modes, exploitation is trivial. Vendor-released patch available in version 0.1.8. EPSS data not available; no CISA KEV listing identified at time of analysis.

Technical ContextAI

excel-mcp-server implements the Model Context Protocol (MCP) for Excel file operations, exposing 25 tool handlers over network transports. The vulnerability resides in get_excel_path(), a boundary enforcement function intended to confine operations within EXCEL_FILES_PATH. Classic CWE-22 path traversal occurs through dual implementation flaws: absolute paths (e.g., '/etc/passwd') bypass all checks entirely, while relative paths with traversal sequences (e.g., '../../../etc/passwd') are joined using path concatenation without canonicalization or parent directory resolution. The affected CPE (cpe:2.3:a:haris-musa:excel-mcp-server) indicates this is a third-party server implementation, not part of the official MCP specification. Network exposure occurs through SSE (Server-Sent Events) and Streamable-HTTP transport modes, which are documented as the standard remote access methods.

RemediationAI

Upgrade immediately to excel-mcp-server version 0.1.8, which implements proper path validation in get_excel_path(). Obtain the patched release from the project's GitHub repository referencing advisory GHSA-j98m-w3xp-9f56 (https://github.com/haris-musa/excel-mcp-server/security/advisories/GHSA-j98m-w3xp-9f56). For systems where immediate patching is not feasible, implement these compensating controls with their limitations: (1) Bind the server to 127.0.0.1 (localhost only) and proxy through an authenticated gateway-this prevents direct internet exposure but requires additional infrastructure and does not protect against local network attackers or compromised local services; (2) Deploy strict network ACLs permitting only specific source IPs-this reduces attack surface but requires accurate IP inventory and fails if trusted networks are compromised; (3) Run the server process in a restrictive filesystem jail/container with read-only root filesystem-this limits impact to mounted volumes but may break legitimate Excel file operations if misconfigured. After patching, audit server logs for suspicious file paths containing '../' sequences or absolute paths outside EXCEL_FILES_PATH, and scan the filesystem for unauthorized modifications dated between initial deployment and patch application.

Share

CVE-2026-40576 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy