Cyber Posture

CVE-2026-40576

Critical

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
EPSS Score 0.0006 19.2th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40576 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates crafted filepath arguments to MCP tool handlers, preventing path traversal by ensuring inputs conform to expected directory confinement.

AC-3 Access Enforcement good match
prevent

Enforces approved access to filesystem resources, directly addressing the get_excel_path() failure to check absolute paths and validate relative paths against EXCEL_FILES_PATH.

SC-7 Boundary Protection partial match
prevent

Monitors and controls network communications to the server bound to 0.0.0.0 by default, restricting unauthenticated remote access required for exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
Why these techniques?

Path traversal in network-exposed unauthenticated server directly enables remote exploitation of public-facing application (T1190); explicit arbitrary file read facilitates data collection from local system (T1005); arbitrary file write facilitates ingress of tools/files (T1105).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode (the documented way to use this server remotely),…

more

an unauthenticated attacker on the network can read, write, and overwrite arbitrary files on the host filesystem by supplying crafted filepath arguments to any of the 25 exposed MCP tool handlers. The server is intended to confine file operations to a directory set by the EXCEL_FILES_PATH environment variable. The function responsible for enforcing this boundary — get_excel_path() — fails to do so due to two independent flaws: it passes absolute paths through without any check, and it joins relative paths without resolving or validating the result. Combined with zero authentication on the default network-facing transport and a default bind address of 0.0.0.0 (all interfaces), this allows trivial remote exploitation. This vulnerability is fixed in 0.1.8.

Deeper analysisAI

CVE-2026-40576 is a path traversal vulnerability (CWE-22) in the excel-mcp-server, a Model Context Protocol server designed for Excel file manipulation. The issue affects versions up to and including 0.1.7, specifically when the server is running in SSE or Streamable-HTTP transport mode, which is the documented method for remote usage. The vulnerability stems from flaws in the get_excel_path() function, which fails to properly enforce confinement to the directory specified by the EXCEL_FILES_PATH environment variable: it allows absolute paths to pass unchecked and joins relative paths without resolution or validation. This results in a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).

An unauthenticated attacker on the same network can exploit this vulnerability remotely by supplying crafted filepath arguments to any of the 25 exposed MCP tool handlers. The server binds to 0.0.0.0 (all interfaces) by default with no authentication, enabling trivial exploitation. Successful attacks allow the attacker to read, write, and overwrite arbitrary files on the host filesystem, potentially leading to full compromise depending on the targeted files and server privileges.

The GitHub security advisory (GHSA-j98m-w3xp-9f56) confirms the vulnerability and states that it is fixed in version 0.1.8. Security practitioners should upgrade to 0.1.8 or later, verify the EXCEL_FILES_PATH configuration, and consider restricting network access to the server until patching is complete.

Details

CWE(s)
CWE-22

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp, model context protocol, mcp, mcp

CVEs Like This One

CVE-2026-7811Shared CWE-22
CVE-2026-7237Shared CWE-22
CVE-2026-7788Shared CWE-22
CVE-2026-7810Shared CWE-22
CVE-2026-7319Shared CWE-22
CVE-2026-7149Shared CWE-22
CVE-2026-7315Shared CWE-22
CVE-2026-7205Shared CWE-22
CVE-2026-7594Shared CWE-22
CVE-2026-7212Shared CWE-22

References