Path Traversal Vulnerability in excel-mcp-server Affects File Manipulation
CVE-2026-40576

9.4CRITICAL

Key Information:

Vendor: Haris-musa
Status: Excel-mcp-server
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40576?

The excel-mcp-server, designed for Excel file manipulation, contains a path traversal vulnerability that allows unauthenticated attackers on the network to exploit the server. This vulnerability is present in versions up to and including 0.1.7, where attackers can read, write, and overwrite files on the host's filesystem by manipulating the filepath arguments provided to the server's exposed MCP tool handlers. The flaws arise from improper handling of file paths in the get_excel_path() function, allowing both absolute paths to bypass validations and relative paths to be incorrectly resolved. This vulnerability is particularly concerning because the server operates with zero authentication by default and binds to all network interfaces, making exploitation straightforward. The issue has been addressed in version 0.1.8.

Affected Version(s)

excel-mcp-server < 0.1.8

References

https://github.com/haris-musa/excel-mcp-server/security/a...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.4

Severity:

CRITICAL

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 14, 2026

CVE-2026-40576 Data

JSON

Haris-musa

What is CVE-2026-40576?

Affected Version(s)

References

CVSS V3.1

Timeline