CVE-2026-10278

An attacker can invoke affected MCP tools, such as read_file or write_file, remotely. By manipulating arguments like `filePath` or `outputPath`, the attacker can specify arbitrary paths on the server's filesystem. This allows for reading existing spreadsheet files or writing new CSV/XLS/XLSX files to locations outside the intended directory. The attack requires the attacker to be able to invoke the MCP tools and for the target file to be readable or the target path to be writable by the server process [ref_id=1].

The vulnerability resides in the handling of file path arguments within the `src/index.ts` file. These arguments are passed to file read/write APIs in `src/utils/file-utils.ts` and `src/handlers/file-operations.ts`, specifically functions like `fs.readFile`, `workbook.xlsx.readFile`, `fs.writeFile`, and `workbook.xlsx.writeFile`, without proper path validation [ref_id=1].

The advisory recommends implementing a required configured workspace root and enforcing path containment after `path.resolve`. It also suggests rejecting absolute paths unless explicitly enabled by trusted configuration and adding regression tests to prevent paths outside the workspace from being accessed. No patch is publicly available at this time [ref_id=1].

```json {"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"read_file","arguments":{"filePath":"C:\\Users\\czx\\Desktop\\cve\\excel-read-test.csv"}}} {"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"write_file","arguments":{"filePath":"C:\\Users\\czx\\Desktop\\cve\\excel-write-test.csv","headers":["a","b"],"data":[["1","2"]]}}} ``` Confirm that `read_file` returns the contents of the selected local CSV file. Confirm that `write_file` creates the selected local CSV file outside the repository directory [ref_id=1].