Skip to content
ATR-2026-00569highContext Exfiltrationexperimental

Agent / MCP tool path traversal and arbitrary file access

An MCP/agent file tool receives a path argument that escapes its intended directory — a deep ../ chain or URL-encoded traversal — enabling arbitrary file read/write (incl. zip-slip). Generalizes a cluster of MCP file-handler CVEs and agent-app path traversals.

Severity
high
Category
Context Exfiltration
Scan Target
runtime
Author
ATR Community

Response Actions

alert

References

CVE
CVE-2026-40576CVE-2026-32719CVE-2026-42249CVE-2026-7020CVE-2026-7811CVE-2026-34070CVE-2026-7318CVE-2026-7599CVE-2026-7728CVE-2026-9467

Detection Conditions

Combinator: any
  1. 01
    Deep ../ traversal chain that reaches a sensitive system target
    field: contentop: regex
  2. 02
    URL/percent-encoded path traversal sequence
    field: contentop: regex

Attack Examples (Rule Triggers)

  1. {"path": "../../../../etc/passwd"}
  2. read_file("..\..\..\..\windows\system32\config")
  3. GET /files?name=%2e%2e%2f%2e%2e%2fetc%2fpasswd
  4. extractAllTo zip entry: ../../../../home/u/.ssh/id_rsa
  5. digest=../../../../proc/self/environ

Real-world attack payloads (sanitized). Used for regression testing.

Benign Examples (Rule Doesn't Trigger)

  1. benign path/doc 1
    #include "../../../../include/foo.h"
  2. benign path/doc 2
    import "../../shared/utils"
  3. benign path/doc 3
    from ..models import User
  4. benign path/doc 4
    path = "../config/app.json"
  5. benign path/doc 5
    ssh-keygen -lf ~/.ssh/id_rsa
  6. benign path/doc 6
    The scanner flags /etc/passwd references
  7. benign path/doc 7
    relpath = "../../../build/output/lib.so"

Full YAML Definition

Edit on GitHub →
title: Agent / MCP tool path traversal and arbitrary file access
id: ATR-2026-00569
rule_version: 1
status: experimental
description: An MCP/agent file tool receives a path argument that escapes its intended directory — a deep ../ chain or URL-encoded traversal — enabling arbitrary file read/write (incl. zip-slip). Generalizes a cluster of MCP file-handler CVEs and agent-app path traversals.
author: ATR Community
date: 2026/06/02
schema_version: '0.1'
detection_tier: pattern
maturity: experimental
severity: high
references:
  cve:
  - CVE-2026-40576
  - CVE-2026-32719
  - CVE-2026-42249
  - CVE-2026-7020
  - CVE-2026-7811
  - CVE-2026-34070
  - CVE-2026-7318
  - CVE-2026-7599
  - CVE-2026-7728
  - CVE-2026-9467
  cwe:
  - CWE-22
  - CWE-23
  - CWE-29
  external:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-40576
  - https://github.com/Advanced-Excel-MCP/excel-mcp-server
metadata_provenance:
  cve: human-authored
  cwe: human-authored
tags:
  category: context-exfiltration
  scan_target: runtime
  confidence: high
agent_source:
  type: llm_io
  framework:
  - any
  provider:
  - any
detection:
  condition: any
  false_positives: []
  conditions:
  - field: content
    operator: regex
    value: (?i)(?:\.\.[\\/]){2,}[^\s"\x27<>]*?(?:etc[\\/](?:passwd|shadow)|proc[\\/]self|windows[\\/]system32|[\\/]\.ssh[\\/]|win\.ini|boot\.ini)
    description: Deep ../ traversal chain that reaches a sensitive system target
  - field: content
    operator: regex
    value: (?i)(?:%2e%2e|%252e%252e|\.\.)(?:%2f|%5c|%c0%af)|%2e%2e%2f
    description: URL/percent-encoded path traversal sequence
response:
  actions:
  - alert
  notify:
  - security_team
test_cases:
  true_positives:
  - input: '{"path": "../../../../etc/passwd"}'
    expected: triggered
    description: path-traversal payload 1
  - input: read_file("..\..\..\..\windows\system32\config")
    expected: triggered
    description: path-traversal payload 2
  - input: GET /files?name=%2e%2e%2f%2e%2e%2fetc%2fpasswd
    expected: triggered
    description: path-traversal payload 3
  - input: 'extractAllTo zip entry: ../../../../home/u/.ssh/id_rsa'
    expected: triggered
    description: path-traversal payload 4
  - input: digest=../../../../proc/self/environ
    expected: triggered
    description: path-traversal payload 5
  true_negatives:
  - input: '#include "../../../../include/foo.h"'
    expected: not_triggered
    description: benign path/doc 1
  - input: import "../../shared/utils"
    expected: not_triggered
    description: benign path/doc 2
  - input: from ..models import User
    expected: not_triggered
    description: benign path/doc 3
  - input: path = "../config/app.json"
    expected: not_triggered
    description: benign path/doc 4
  - input: ssh-keygen -lf ~/.ssh/id_rsa
    expected: not_triggered
    description: benign path/doc 5
  - input: The scanner flags /etc/passwd references
    expected: not_triggered
    description: benign path/doc 6
  - input: relpath = "../../../build/output/lib.so"
    expected: not_triggered
    description: benign path/doc 7

Revision History

Created
2026-06-02
Last modified
2026-06-04
View full commit history on GitHub →

More Context Exfiltration Rules

ATR-2026-00020highSystem Prompt and Internal Instruction LeakageATR-2026-00021criticalCredential and Secret Exposure in Agent OutputATR-2026-00075highAgent Memory ManipulationATR-2026-00102highData Exfiltration via Disguised Analytics CollectionATR-2026-00113criticalCredential File Theft from Agent Environment