Is this vulnerability remotely exploitable?

Yes. When excel-mcp-server is running in SSE or Streamable-HTTP mode and exposed on the network (such as binding to 0.0.0.0), an unauthenticated remote attacker can exploit the issue by sending crafted requests with malicious file paths.

What level of access does an attacker need to exploit this?

The attacker only needs network access to the service endpoint; no credentials are required by default. They do not need shell access to the host or local user accounts, only the ability to reach the server over the network.

What is the safest general fix pattern for developers?

Enforce strict path confinement by canonicalizing all user-supplied paths, prohibiting absolute paths for sandboxed operations, and verifying that the resolved path stays within the intended base directory before performing any filesystem operation. Additionally, decouple external inputs from raw filesystem paths wherever possible.

Severity:

CRITICAL RISK

(9.4)

Path Traversal (CWE-22) in excel-mcp-server Remote Excel File Handler

CVE-2026-40576

Published:

Apr 21, 2026

Status:

Deferred

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

NDV

Recent Vulnerabilities

CWE-74;CWE-89

HIGH RISK

HIGH

(7.3)

SQL Injection via Unsanitized ID Parameter (CWE-89) in Pharmacy Sales and Inventory System /ajax.php

Database Compromise and Data Integrity Loss

April 27, 2026

CWE-863

HIGH RISK

HIGH

(8.5)

Incorrect Authorization (CWE-863) in OpenClaw chat.send Session Management

Privilege Escalation and Unauthorized Session Control

April 27, 2026

Vulnerability Type

Category:

Path Traversal

CWE:

CWE-22

Impact:

Arbitrary File Read and Write via Path Traversal

Severity:

CRITICAL RISK

(9.4)

CVSS Version:

3.1

Vulnerability Type

Category:

Path Traversal

CWE:

CWE-22

Impact:

Arbitrary File Read and Write via Path Traversal

Severity:

CRITICAL RISK

(9.4)

CVSS Version:

3.1

Catch This CVE While Code Is Being Written

Detect vulnerable code directly in pull requests, so CVEs are fixed before merge.

Get Started

Ship clean & secure code faster

START 14 DAYS FREE TRIAL

BOOK A DEMO

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Path Traversal (CWE-22) in excel-mcp-server Remote Excel File Handler

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

Recent Vulnerabilities

HIGH RISK

HIGH

(7.3)

SQL Injection via Unsanitized ID Parameter (CWE-89) in Pharmacy Sales and Inventory System /ajax.php

HIGH RISK

HIGH

(8.5)

Incorrect Authorization (CWE-863) in OpenClaw chat.send Session Management

Vulnerability Type

Vulnerability Type

Vulnerability Type

Catch This CVE While Code Is Being Written

Ship clean & secure code faster

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare