An unauthenticated path traversal vulnerability in the AWS excel-mcp-server enables remote attackers to achieve full filesystem access, posing a critical threat to host integrity.

The application fails to properly validate file paths within its tool handlers, allowing an unauthenticated attacker to escape the designated directory and perform arbitrary file operations.

Successful exploitation allows an unauthenticated attacker to read sensitive configuration files, modify application logic, or overwrite system files, leading to a complete compromise of the host environment. Given the CVSS score of 9.4, this vulnerability represents an extreme risk to data confidentiality, integrity, and availability.

Immediate Action: Upgrade to version 0.1.8 or later immediately to resolve the path validation flaws.

Proactive Monitoring: Inspect server logs for unusual file access patterns or attempts to access system directories outside the intended EXCEL_FILES_PATH.

Compensating Controls: If immediate patching is not possible, restrict network access to the MCP server transport interface using firewall rules or ACLs to ensure only authorized clients can reach the service.

Public Exploit Available: No

The severity of this flaw necessitates immediate attention. Organizations utilizing the excel-mcp-server in SSE or Streamable-HTTP mode should prioritize the transition to version 0.1.8 to prevent unauthorized remote file manipulation.