MCP Path Traversal: One Vulnerability, Dozens of Servers

#mcp #python #security #ai

CVE-2026-40576 landed on April 14. Path traversal in excel-mcp-server. CVSS 9.4. An unauthenticated attacker can read, write, or overwrite arbitrary files on the host filesystem.

Three weeks earlier, the same vulnerability in a different server. Three weeks before that, another one. CVE-2026-33989 (@mobilenext/mobile-mcp, arbitrary file write). CVE-2026-27735 (mcp-server-git, staging files outside repository boundaries). CVE-2026-32871 (fastmcp, path traversal combined with SSRF). According to vulnerablemcp.info, roughly 82% of MCP servers with file operations are vulnerable to some variant of this class.

This isn't a coincidence. It's a structural property of how MCP servers are built.

The root cause

MCP tool handlers receive parameters from the calling agent. For file-handling servers, that typically means a path. The tool reads a file, writes a cell, stages a diff, and returns a result.

Here's what insecure file handling looks like:

# excel-mcp-server, before the fix
def get_excel_path(file_path: str) -> str:
    """Get and validate the Excel file path."""
    if not os.path.exists(file_path):
        raise FileNotFoundError(f"File not found: {file_path}")
    return file_path

That's it. os.path.exists() confirms the file exists. No validation that the path stays within any expected directory. An agent (or a prompt injection payload riding inside an agent) passes ../../../../etc/passwd and the server reads it. Passes ../../../../root/.ssh/authorized_keys and writes to it.

The CVE description is precise: the function "accepts absolute paths without validation and fails to properly resolve relative paths." The fix is one function, added in version 0.1.8:

def _resolved_path_is_within(file_path: str, base_dir: str) -> bool:
    resolved = os.path.realpath(file_path)
    base = os.path.realpath(base_dir)
    return os.path.commonpath([resolved, base]) == base

realpath() expands all symlinks and resolves ../ sequences. commonpath() operates on path components, not string prefixes. commonpath(["/data/reports", "/data/rep"]) correctly returns "/data", not "/data/rep". This is the fix that works. Everything else is a bypass waiting to happen.

Why the same bug appears everywhere

The pattern recurs not because MCP server developers are careless but because MCP's design guarantees the exposure.

MCP tool calls are structured requests from an agent to a server. The server exposes tools with defined parameters. There is no framework-level sandboxing at the path layer. The MCP spec doesn't define a safe path handling primitive. It doesn't document the risk. It provides the transport and leaves the rest to each implementation.

That means every developer who writes a file-handling MCP server independently arrives at the same decision point: validate the path themselves or don't. Most don't, because the threat model assumes a local tool: one developer, one agent, trusted environment. Adversarial path inputs aren't in the picture.

The threat model breaks the moment the server hits a network. CVE-2026-40576 was specifically exploitable in SSE and Streamable-HTTP modes, both remote attack surfaces, with a default bind address of 0.0.0.0. The server was built for local use. The deployment model outpaced the security model.

CVE-2026-27735 makes this harder to dismiss. The affected server is mcp-server-git, from the modelcontextprotocol organization, Anthropic's reference repository for MCP server development. The vulnerability allowed staging files outside repository boundaries via git_add. If the reference implementation ships path traversal, the ecosystem norm is clear.

Why "just patch it" isn't enough

Patching CVE-2026-40576 requires upgrading excel-mcp-server to 0.1.8. CVE-2026-33989 requires a different fix in a different codebase. CVE-2026-27735 requires a third. Each server maintains its own patch cadence. Some maintainers respond within days. Others take months. Some don't respond at all.

The state-of-MCP-security picture at any moment: a fraction of servers patched, the rest at varying stages of "discovered, disclosed, under review, unresponsive, or unknown."

There's a more structural problem. New MCP servers ship daily, written by developers building LLM tooling for the first time, working from examples that may themselves be unpatched. The vulnerability isn't a single wrong decision in a single codebase. It's the default outcome for anyone who hasn't specifically learned why realpath() + commonpath() is mandatory.

What behavioral monitoring catches

Path traversal exploits produce observable behavioral signals.

A file-handling MCP server that suddenly accesses /etc/shadow, /root/.ssh/authorized_keys, or files three directories above the expected base directory is doing something outside its normal operating envelope. A tool that reads spreadsheets doesn't access SSH keys during legitimate operation.

That signal is detectable without knowing the specific CVE or having patched the server. AgentLair's behavioral baselines track which file paths and path categories each tool normally accesses. When an agent session produces access patterns inconsistent with the 90-day baseline (wrong directories, wrong file types, wrong sequences), the trust score drops. A trust gate blocks further tool calls before the exfiltration completes.

This matters most for the gap between disclosure and patch. CVE-2026-33989 (@mobilenext/mobile-mcp) was published March 27. Not every deployment patches immediately. During that window, behavioral monitoring provides coverage that the unpatched server doesn't.

It also matters for novel payloads. The specific traversal sequences change. The behavioral anomaly—a file-access tool reading outside its expected directory range—doesn't.

The fix

If you maintain an MCP server that accepts file paths as tool parameters, four things:

Use realpath() to resolve symlinks and traversal sequences before any validation. A path check against raw input is a bypass waiting to happen.

Use commonpath() for directory boundary enforcement. String prefix matching (startswith("/safe/dir")) fails for "/safe/directory-escape" and for symlinked paths. Component-level comparison doesn't.

Reject absolute paths if your server doesn't need them. A spreadsheet tool operating in a designated workspace directory has no legitimate use for /etc paths.

Set an explicit allowed base directory in configuration, not derived from the request. An attacker-controlled base defeats all path validation downstream.

The fix from CVE-2026-40576 is two functions and a dozen lines. The vulnerability is years of arbitrary file access on any exposed server. The exchange rate isn't close.

See behavioral monitoring in action: Try the demo

Sources: