Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
Lifecycle Timeline
7DescriptionGitHub Advisory
excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode (the documented way to use this server remotely), an unauthenticated attacker on the network can read, write, and overwrite arbitrary files on the host filesystem by supplying crafted filepath arguments to any of the 25 exposed MCP tool handlers. The server is intended to confine file operations to a directory set by the EXCEL_FILES_PATH environment variable. The function responsible for enforcing this boundary - get_excel_path() - fails to do so due to two independent flaws: it passes absolute paths through without any check, and it joins relative paths without resolving or validating the result. Combined with zero authentication on the default network-facing transport and a default bind address of 0.0.0.0 (all interfaces), this allows trivial remote exploitation. This vulnerability is fixed in 0.1.8.
AnalysisAI
Remote unauthenticated path traversal in excel-mcp-server versions ≤0.1.7 allows network attackers to read, write, and overwrite arbitrary files on the host filesystem. The server's get_excel_path() function fails to validate file paths in two ways: it passes absolute paths without checking boundaries and joins relative paths without resolving traversal sequences. With default configuration binding to 0.0.0.0 (all network interfaces) and no authentication on SSE/Streamable-HTTP transport modes, exploitation is trivial. Vendor-released patch available in version 0.1.8. EPSS data not available; no CISA KEV listing identified at time of analysis.
Technical ContextAI
excel-mcp-server implements the Model Context Protocol (MCP) for Excel file operations, exposing 25 tool handlers over network transports. The vulnerability resides in get_excel_path(), a boundary enforcement function intended to confine operations within EXCEL_FILES_PATH. Classic CWE-22 path traversal occurs through dual implementation flaws: absolute paths (e.g., '/etc/passwd') bypass all checks entirely, while relative paths with traversal sequences (e.g., '../../../etc/passwd') are joined using path concatenation without canonicalization or parent directory resolution. The affected CPE (cpe:2.3:a:haris-musa:excel-mcp-server) indicates this is a third-party server implementation, not part of the official MCP specification. Network exposure occurs through SSE (Server-Sent Events) and Streamable-HTTP transport modes, which are documented as the standard remote access methods.
RemediationAI
Upgrade immediately to excel-mcp-server version 0.1.8, which implements proper path validation in get_excel_path(). Obtain the patched release from the project's GitHub repository referencing advisory GHSA-j98m-w3xp-9f56 (https://github.com/haris-musa/excel-mcp-server/security/advisories/GHSA-j98m-w3xp-9f56). For systems where immediate patching is not feasible, implement these compensating controls with their limitations: (1) Bind the server to 127.0.0.1 (localhost only) and proxy through an authenticated gateway-this prevents direct internet exposure but requires additional infrastructure and does not protect against local network attackers or compromised local services; (2) Deploy strict network ACLs permitting only specific source IPs-this reduces attack surface but requires accurate IP inventory and fails if trusted networks are compromised; (3) Run the server process in a restrictive filesystem jail/container with read-only root filesystem-this limits impact to mounted volumes but may break legitimate Excel file operations if misconfigured. After patching, audit server logs for suspicious file paths containing '../' sequences or absolute paths outside EXCEL_FILES_PATH, and scan the filesystem for unauthorized modifications dated between initial deployment and patch application.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24177
GHSA-j98m-w3xp-9f56