excel-mcp-server heeft een Path Traversal probleem
Platform
python
Component
excel-mcp-server
Opgelost in
0.1.9
0.1.8
CVE-2026-40576 represents a critical Path Traversal vulnerability discovered in the excel-mcp-server project, specifically affecting versions up to 0.1.7. This flaw allows unauthenticated attackers on the network to gain arbitrary file read, write, and overwrite access to the host filesystem. The vulnerability is triggered when the server is running in SSE or Streamable-HTTP transport mode, the documented method for remote usage, and can be exploited by crafting malicious filepath arguments.
Detecteer deze CVE in je project
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.
Impact en Aanvalsscenarioswordt vertaald…
The impact of this vulnerability is severe. An attacker can leverage it to compromise the entire host system. They can read sensitive configuration files, steal credentials, modify system binaries, or even execute arbitrary code by overwriting critical files. The lack of authentication means that any network-connected user can potentially exploit this flaw. The ability to write arbitrary files significantly expands the attack surface, allowing for persistent backdoors or complete system takeover. This vulnerability shares similarities with other path traversal exploits where attackers bypass intended access controls to manipulate the filesystem.
Uitbuitingscontextwordt vertaald…
CVE-2026-40576 was published on 2026-04-21. Its criticality (CVSS 9.4) indicates a high probability of exploitation. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation and the vulnerability's severity. There is no indication of active exploitation campaigns at this time, but the vulnerability's simplicity makes it a prime target for opportunistic attackers. The vulnerability is not currently listed on KEV or EPSS.
Dreigingsinformatie
Exploit Status
EPSS
0.06% (19% percentiel)
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Laag — gedeeltelijke toegang tot enkele gegevens.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation is to immediately upgrade excel-mcp-server to version 0.1.8, which addresses this vulnerability. If upgrading is not immediately feasible, consider disabling remote access via SSE or Streamable-HTTP transport mode. This will significantly reduce the attack surface. As a temporary workaround, restrict the EXCELFILESPATH environment variable to a minimal, tightly controlled directory and implement strict file access controls on that directory. Monitor system logs for suspicious file access patterns. After upgrading, confirm the fix by attempting to access files outside the intended EXCELFILESPATH directory via the MCP tool handlers; access should be denied.
Hoe te verhelpenwordt vertaald…
Actualice a la versión 0.1.8 o posterior para mitigar la vulnerabilidad de recorrido de ruta. La actualización corrige las fallas en la función `get_excel_path()` que permitían el acceso no autorizado a archivos del sistema.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2026-40576 — Path Traversal in excel-mcp-server?
CVE-2026-40576 is a critical vulnerability in excel-mcp-server versions up to 0.1.7 that allows unauthenticated attackers to read, write, and overwrite files on the host system via crafted filepath arguments when using SSE/Streamable-HTTP.
Am I affected by CVE-2026-40576 in excel-mcp-server?
You are affected if you are running excel-mcp-server versions 0.1.0 through 0.1.7 and have enabled remote access via SSE or Streamable-HTTP transport mode.
How do I fix CVE-2026-40576 in excel-mcp-server?
Upgrade to excel-mcp-server version 0.1.8. As a temporary workaround, disable remote access or restrict the EXCELFILESPATH environment variable.
Is CVE-2026-40576 being actively exploited?
There is no current indication of active exploitation, but the vulnerability's simplicity suggests a high likelihood of future exploitation.
Where can I find the official excel-mcp-server advisory for CVE-2026-40576?
Refer to the project's GitHub repository for updates and advisories: https://github.com/haris-musa/excel-mcp-server
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.