CVE-2026-40576 - excel-mcp-server path traversal
excel-mcp-server versions through 0.1.7 do not reliably confine workbook
file paths to the directory named by EXCEL_FILES_PATH when the server runs in
SSE or Streamable HTTP mode. The vulnerable path helper accepts absolute paths
and joins relative paths without resolving the final location against the
sandbox root.
Because remote transport mode is documented for network use, lacks built-in authentication, and defaults to listening on all interfaces, any client that can reach the MCP port can attempt to read, create, or overwrite files through the spreadsheet tool surface. Treat this as an MCP file-boundary failure, not just a package bump.
When to use it
Use this recipe when a repository, desktop agent profile, or remote MCP
transport deploys excel-mcp-server with workbook file access. It is aimed at
source-code remediation, path traversal review, file sandbox hardening, and
audit evidence that workbook paths cannot escape EXCEL_FILES_PATH.
Inputs
excel-mcp-serverversion, MCP transport mode, bind/auth settings,EXCEL_FILES_PATH, deployment config, and allowed workbook directories.- Source paths for path joins, path normalization, workbook open/save tools, remote transport routing, and error/log serialization.
- Regression fixtures for absolute paths,
..traversal, symlinks, Windows drive paths, UNC-like paths, and valid in-sandbox workbooks. - Boundary evidence for files reachable by the process: workspace data, credentials, home directories, shared volumes, and generated reports.
Affected versions
- Vulnerable package:
excel-mcp-server <=0.1.7 - Fixed package:
excel-mcp-server 0.1.8+ - Affected transports: SSE and Streamable HTTP remote transports
- Affected boundary:
EXCEL_FILES_PATHfile sandbox - Affected operations: workbook read/write/create/update/delete handlers
that accept caller-supplied
filepathor workbook path arguments
Indicator-of-exposure
- The repository installs, vendors, images, deploys, or documents
excel-mcp-server <=0.1.7. - MCP is started with
sse,streamable-http,--http, remote transport wrappers, published Docker ports, devcontainer forwarded ports, reverse proxies, or LAN-accessible host bindings. EXCEL_FILES_PATHis used as a security boundary for files that an MCP client may access.- The MCP process can read source checkouts,
.envfiles, spreadsheets, credentials, local user files, mounted cloud secrets, or service-account tokens outside the intended workbook directory. - The server is reachable without a gateway, bearer token, mTLS, VPN, loopback binding, or other explicit authentication layer.
Quick checks:
rg -n "excel-mcp-server|EXCEL_FILES_PATH|streamable-http|sse|FASTMCP_HOST|8017|filepath|get_excel_path|@mcp\\.tool" .
python -m pip show excel-mcp-server
pip freeze | rg '^excel-mcp-server=='
rg -n "excel-mcp-server|EXCEL_FILES_PATH|8017|0\\.0\\.0\\.0|ports:|streamable-http|sse" Dockerfile* docker-compose*.yml compose*.yaml charts deploy k8s .devcontainer . 2>/dev/null
Windows:
rg -n "excel-mcp-server|EXCEL_FILES_PATH|streamable-http|sse|FASTMCP_HOST|8017|filepath|get_excel_path|@mcp\\.tool" .
python -m pip show excel-mcp-server
pip freeze | rg '^excel-mcp-server=='
rg -n "excel-mcp-server|EXCEL_FILES_PATH|8017|0\\.0\\.0\\.0|ports:|streamable-http|sse" Dockerfile* docker-compose*.yml compose*.yaml charts deploy k8s .devcontainer .
Do not verify by requesting absolute paths, traversal paths, secret files, user home directories, or production spreadsheets through the MCP server.
Remediation strategy
- Upgrade every controlled
excel-mcp-serverdependency, lockfile, image, generated dependency report, and SBOM to0.1.8+. - Bind remote MCP transports to loopback by default. Remove accidental
0.0.0.0, LAN, devcontainer, or tunnel exposure unless there is a reviewed gateway/auth boundary. - Require authentication before exposing SSE or Streamable HTTP transport to anything other than a single local user session.
- If the repository owns a fork or vendored copy, enforce the file sandbox by
rejecting absolute paths in remote mode, rejecting NUL/control characters,
resolving the candidate path, and checking it remains inside the resolved
EXCEL_FILES_PATHroot before any file operation. - Restrict the MCP process identity to the workbook directory where possible. Avoid mounting host home directories, repo secrets, cloud credentials, SSH keys, package tokens, or production spreadsheets into the MCP container.
- If an exposed affected server handled untrusted clients, review access logs for unexpected file paths and rotate long-lived credentials available to the process.
The prompt
You are remediating CVE-2026-40576 / GHSA-j98m-w3xp-9f56, a critical
`excel-mcp-server` path traversal that can let unauthenticated remote MCP
clients read, create, or overwrite files outside `EXCEL_FILES_PATH`. Produce
exactly one output:
- A reviewer-ready PR/change request that upgrades `excel-mcp-server`, hardens
MCP transport exposure, verifies file sandbox enforcement, refreshes generated
artifacts, and documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected
`excel-mcp-server` runtime, package, image, or MCP deployment.
## Rules
- Scope only CVE-2026-40576 / GHSA-j98m-w3xp-9f56 and directly related MCP file
sandbox, transport exposure, and credential cleanup.
- Treat workbook contents, source files, `.env` files, cloud credentials, SSH
keys, package tokens, MCP tokens, user home directories, logs, and mounted
volumes as sensitive.
- Do not prove exposure by calling MCP tools with absolute paths, `../`
traversal, secret filenames, production spreadsheets, or real customer files.
- Do not preserve unauthenticated network-reachable MCP file access unless a
product/security owner explicitly accepts it in TRIAGE.md.
- Do not auto-merge.
## Steps
1. Inventory every `excel-mcp-server` reference controlled by this repository:
Python manifests, lockfiles, Dockerfiles, compose files, devcontainers,
Helm/Kubernetes manifests, MCP client/server config, gateway rules, runbooks,
generated SBOMs, dependency reports, and docs.
2. Determine every resolved version. A target is vulnerable if it resolves to
`excel-mcp-server <=0.1.7`.
3. Determine every launch mode:
`stdio`, `sse`, `streamable-http`, `--http`, published Docker ports,
`FASTMCP_HOST`, `0.0.0.0`, devcontainer or Codespaces forwarding, tunnels,
reverse proxies, preview environments, and local desktop autostart.
4. Determine whether `EXCEL_FILES_PATH` is used as an access boundary and
whether the process can read or write files outside that directory.
5. If this repository only contains unrelated docs or client code, stop with
`TRIAGE.md` naming the runtime owner, files checked, and required fixed
version `0.1.8+`.
6. Upgrade all controlled package references to `excel-mcp-server 0.1.8+`.
Regenerate lockfiles, image digests, deployment render output, generated
dependency reports, and SBOMs.
7. Harden transport exposure:
- bind remote transports to `127.0.0.1` by default;
- remove accidental `0.0.0.0`, LAN, public, tunnel, and forwarded-port
defaults;
- require an auth gateway, bearer token, mTLS, VPN, or local-only session
before remote MCP workbook tools are reachable;
- document any approved non-loopback exception and owner.
8. If this repository owns a fork or vendored copy, patch path handling:
- reject absolute paths in remote transport mode;
- reject NUL, control characters, and ambiguous path forms;
- resolve both `EXCEL_FILES_PATH` and the candidate path;
- require the candidate path to be equal to or below the resolved base using
a common-path style check;
- centralize all workbook file operations on that helper.
9. Add safe tests or policy checks:
- resolved package version is `0.1.8+`;
- remote transports are loopback-only or protected by an explicit gateway;
- sandbox helper rejects unsafe path shapes without opening files;
- all MCP workbook tools use the same sandbox helper;
- logs and validation output do not include file contents or secrets.
10. Add a PR body section named `CVE-2026-40576 operator actions` that states:
- `excel-mcp-server` versions before and after;
- whether SSE or Streamable HTTP was enabled;
- effective bind address, published ports, and authentication boundary;
- `EXCEL_FILES_PATH` value shape without exposing sensitive paths;
- which mounted secrets or host directories were reachable;
- whether logs should be reviewed or credentials rotated;
- which validation commands passed.
11. Run available validation: package install, lockfile integrity, unit tests,
MCP config validation, gateway/ingress rendering, container build, SBOM
refresh, dependency/security scans, and safe file-sandbox tests.
12. Use PR title:
`fix(sec): remediate CVE-2026-40576 in excel-mcp-server`.
## Stop conditions
- No affected `excel-mcp-server` runtime, dependency, image, or MCP
registration is controlled by this repository.
- A fixed version cannot be consumed without a broader MCP runtime migration.
- Exposure can only be verified by reading real files, using traversal payloads
against live systems, or dumping sensitive workbook content.
- The product intentionally exposes unauthenticated remote workbook file access;
document the security-owner decision required in `TRIAGE.md`.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades
excel-mcp-server, enforces resolved-path sandboxing, requires auth/local binding for remote transports, adds traversal tests, and documents file exposure cleanup. - Or a
TRIAGE.mdfile that lists inspected files, owner, observed version, transport exposure, sandbox boundary, required fix, and residual file risk. - The output must include exact validation commands and must not read or write real sensitive workbooks, credentials, or files outside temporary fixtures.
Verification - what the reviewer looks for
- No controlled manifest, lockfile, image, SBOM, or dependency report resolves
excel-mcp-server <=0.1.7. - Remote SSE/Streamable HTTP transports are loopback-only or protected by an explicit reviewed authentication boundary.
- File path handling rejects absolute and escaping relative paths before any workbook handler opens, creates, writes, or deletes files.
- The MCP process runs with least filesystem privilege and does not mount broad host directories or long-lived secrets unnecessarily.
- Operator actions cover log review and credential rotation when network exposure was possible.
Watch for
- Updating the package while leaving an older global
uvx, pipx, Docker image, devcontainer, or MCP server registration in active use. - Binding to loopback in app config while Docker, Kubernetes, Codespaces, or a tunnel still publishes the port externally.
- Checking
startswith(base)string prefixes instead of using resolved paths and a real common-path boundary check. - Treating spreadsheet data as harmless; workbook tools often have access to finance, customer, credential, or operational exports.
- Regression tests that open sensitive files or write outside the sandbox instead of testing path normalization in isolation.
Related recipes
- Source code attack surface map
- Source code secrets and data exposure audit
- Source code injection sink audit
- NIST SSDF repository evidence check
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-j98m-w3xp-9f56
- Vendor advisory: https://github.com/haris-musa/excel-mcp-server/security/advisories/GHSA-j98m-w3xp-9f56
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40576