📄 Description (English)
A vulnerability was determined in ishayoyo excel-mcp up to 1.0.2. Impacted is an unknown function of the file src/index.ts of the component read_file/write_file. Executing a manipulation of the argument filePath/outputPath can lead to path traversal. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
🤖 AI Executive Summary
CVE-2026-10278 is a path traversal vulnerability in ishayoyo excel-mcp (versions up to 1.0.2) affecting file read/write operations. An attacker can manipulate filePath/outputPath parameters to access or modify files outside intended directories, potentially exposing sensitive data or system files. With a CVSS score of 6.3 and public disclosure, this poses a moderate risk requiring immediate assessment and mitigation.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 1, 2026 22:40
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using excel-mcp for data processing and file management, particularly in: Banking sector (SAMA-regulated institutions) for financial data processing; Government agencies (NCA oversight) handling sensitive documents; Healthcare organizations processing patient records; Energy sector (ARAMCO and subsidiaries) managing operational data; Telecommunications (STC, Mobily) for billing and customer data. Path traversal could expose confidential financial records, government documents, personal health information, and operational data critical to national infrastructure.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
Manufacturing and Industrial
Education and Research
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Inventory all systems running ishayoyo excel-mcp versions up to 1.0.2
2. Restrict network access to affected services using firewall rules
3. Implement input validation to reject path traversal patterns (../, ..\ , encoded variants)
4. Monitor file access logs for suspicious path patterns
Patching Guidance:
1. Upgrade to excel-mcp version 1.0.3 or later when available
2. If upgrade unavailable, implement compensating controls immediately
Compensating Controls:
1. Deploy Web Application Firewall (WAF) rules blocking path traversal attempts
2. Use chroot/containerization to restrict file system access scope
3. Implement strict file path whitelisting - only allow access to designated directories
4. Apply principle of least privilege to service accounts
5. Enable comprehensive audit logging for all file operations
Detection Rules:
1. Alert on filePath/outputPath parameters containing: ../, ..\ , %2e%2e, encoded dots
2. Monitor for file access attempts outside designated directories
3. Track failed file operation attempts with path traversal indicators
4. Log all read/write operations with full path details for forensic analysis
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حصر جميع الأنظمة التي تشغل ishayoyo excel-mcp الإصدارات حتى 1.0.2
2. تقييد الوصول الشبكي للخدمات المتأثرة باستخدام قواعد جدار الحماية
3. تطبيق التحقق من صحة المدخلات لرفض أنماط اجتياز المسار (../, ..\ ، المتغيرات المشفرة)
4. مراقبة سجلات الوصول إلى الملفات للأنماط المريبة
إرشادات التصحيح:
1. الترقية إلى إصدار excel-mcp 1.0.3 أو أحدث عند توفره
2. إذا لم يكن الترقية متاحة، طبق الضوابط البديلة فوراً
الضوابط البديلة:
1. نشر قواعد جدار تطبيقات الويب (WAF) لحجب محاولات اجتياز المسار
2. استخدام chroot/containerization لتقييد نطاق الوصول إلى نظام الملفات
3. تطبيق قائمة بيضاء صارمة لمسارات الملفات - السماح فقط بالوصول إلى الدلائل المعينة
4. تطبيق مبدأ أقل امتياز على حسابات الخدمة
5. تفعيل تسجيل التدقيق الشامل لجميع عمليات الملفات
قواعد الكشف:
1. تنبيه على معاملات filePath/outputPath التي تحتوي على: ../, ..\ ، %2e%2e، النقاط المشفرة
2. مراقبة محاولات الوصول إلى الملفات خارج الدلائل المعينة
3. تتبع محاولات عمليات الملفات الفاشلة مع مؤشرات اجتياز المسار
4. تسجيل جميع عمليات القراءة/الكتابة مع تفاصيل المسار الكاملة للتحليل الجنائي
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information Security Policies and Procedures
ECC 2024 A.5.2.1 - Access Control and Authorization
ECC 2024 A.5.3.1 - Cryptography and Data Protection
ECC 2024 A.5.4.1 - Logging and Monitoring
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software and Hardware Inventory
SAMA CSF PR.AC-1 - Access Control
SAMA CSF PR.PT-1 - Security Awareness and Training
SAMA CSF DE.AE-1 - Anomalies and Events Detection
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access Control
ISO 27001:2022 A.5.16 - Cryptography
ISO 27001:2022 A.5.23 - Information Security for Supplier Relationships
ISO 27001:2022 A.8.1 - User Endpoint Devices
ISO 27001:2022 A.8.32 - Change Management
🟣 PCI DSS v4.0.1
PCI DSS 6.2 - Security Patches and Updates
PCI DSS 6.5.1 - Injection Flaws
PCI DSS 10.2 - Logging and Monitoring
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/ishayoyo/excel-mcp/
cna@vuldb.com
https://github.com/ishayoyo/excel-mcp/issues/6
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-10278
cna@vuldb.com
https://vuldb.com/submit/825418
cna@vuldb.com
https://vuldb.com/vuln/367571
cna@vuldb.com
https://vuldb.com/vuln/367571/cti
cna@vuldb.com