ATR-2026-00569high上下文外洩experimental
Agent / MCP tool path traversal and arbitrary file access
An MCP/agent file tool receives a path argument that escapes its intended directory — a deep ../ chain or URL-encoded traversal — enabling arbitrary file read/write (incl. zip-slip). Generalizes a cluster of MCP file-handler CVEs and agent-app path traversals.
嚴重度
high
類別
上下文外洩
掃描目標
runtime
作者
ATR Community
建議回應
alert
參考資料
CVE
OWASP Agentic
ASI01:2026 - Agent Goal Hijack
OWASP LLM
LLM02:2025 - Sensitive Information Disclosure
MITRE ATLAS
AML.T0057 - LLM Data Leakage
偵測條件
組合方式: any- 01Deep ../ traversal chain that reaches a sensitive system target欄位: content運算子: regex
- 02URL/percent-encoded path traversal sequence欄位: content運算子: regex
攻擊範例(規則會觸發)
{"path": "../../../../etc/passwd"}read_file("..\..\..\..\windows\system32\config")GET /files?name=%2e%2e%2f%2e%2e%2fetc%2fpasswd
extractAllTo zip entry: ../../../../home/u/.ssh/id_rsa
digest=../../../../proc/self/environ
以上為真實攻擊 payload 的脫敏版本,與規則一同版本化,作為 regression test——確保未來的修訂不會悄悄漏掉它們。
正常樣本(規則不會觸發)
- benign path/doc 1
#include "../../../../include/foo.h"
- benign path/doc 2
import "../../shared/utils"
- benign path/doc 3
from ..models import User
- benign path/doc 4
path = "../config/app.json"
- benign path/doc 5
ssh-keygen -lf ~/.ssh/id_rsa
- benign path/doc 6
The scanner flags /etc/passwd references
- benign path/doc 7
relpath = "../../../build/output/lib.so"
完整 YAML 定義
在 GitHub 編輯 →title: Agent / MCP tool path traversal and arbitrary file access
id: ATR-2026-00569
rule_version: 1
status: experimental
description: An MCP/agent file tool receives a path argument that escapes its intended directory — a deep ../ chain or URL-encoded traversal — enabling arbitrary file read/write (incl. zip-slip). Generalizes a cluster of MCP file-handler CVEs and agent-app path traversals.
author: ATR Community
date: 2026/06/02
schema_version: '0.1'
detection_tier: pattern
maturity: test
severity: high
references:
cve:
- CVE-2026-40576
- CVE-2026-32719
- CVE-2026-42249
- CVE-2026-7020
- CVE-2026-7811
- CVE-2026-34070
- CVE-2026-7318
- CVE-2026-7599
- CVE-2026-7728
- CVE-2026-9467
cwe:
- CWE-22
- CWE-23
- CWE-29
external:
- https://nvd.nist.gov/vuln/detail/CVE-2026-40576
- https://github.com/Advanced-Excel-MCP/excel-mcp-server
owasp_llm:
- LLM02:2025 - Sensitive Information Disclosure
owasp_agentic:
- ASI01:2026 - Agent Goal Hijack
mitre_atlas:
- AML.T0057 - LLM Data Leakage
metadata_provenance:
cve: human-authored
cwe: human-authored
compliance:
eu_ai_act:
- article: "15"
context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the context-exfiltration attempt (Agent / MCP tool path traversal and arbitrary file access)."
strength: primary
- article: "10"
context: "Article 10 (data and data governance) requires control over the data an AI system processes; this rule provides detection evidence for the context-exfiltration attempt (Agent / MCP tool path traversal and arbitrary file access) affecting that data."
strength: secondary
nist_ai_rmf:
- subcategory: "MS.2.7"
context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the context-exfiltration attempt (Agent / MCP tool path traversal and arbitrary file access)."
strength: primary
- subcategory: "MS.2.10"
context: "NIST AI RMF MEASURE 2.10 (privacy risk examined and documented) is supported by this rule's detection of the context-exfiltration attempt (Agent / MCP tool path traversal and arbitrary file access)."
strength: secondary
iso_42001:
- clause: "8.1"
context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the context-exfiltration attempt (Agent / MCP tool path traversal and arbitrary file access)."
strength: primary
- clause: "6.2"
context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the context-exfiltration attempt (Agent / MCP tool path traversal and arbitrary file access) is such a treatment."
strength: secondary
tags:
category: context-exfiltration
scan_target: runtime
confidence: high
agent_source:
type: llm_io
framework:
- any
provider:
- any
detection:
condition: any
false_positives: []
conditions:
- field: content
operator: regex
value: (?i)(?:\.\.[\\/]){2,}[^\s"\x27<>]*?(?:etc[\\/](?:passwd|shadow)|proc[\\/]self|windows[\\/]system32|[\\/]\.ssh[\\/]|win\.ini|boot\.ini)
description: Deep ../ traversal chain that reaches a sensitive system target
- field: content
operator: regex
value: (?i)(?:%2e%2e|%252e%252e|\.\.)(?:%2f|%5c|%c0%af)|%2e%2e%2f
description: URL/percent-encoded path traversal sequence
response:
actions:
- alert
notify:
- security_team
test_cases:
true_positives:
- input: '{"path": "../../../../etc/passwd"}'
expected: triggered
description: path-traversal payload 1
- input: read_file("..\..\..\..\windows\system32\config")
expected: triggered
description: path-traversal payload 2
- input: GET /files?name=%2e%2e%2f%2e%2e%2fetc%2fpasswd
expected: triggered
description: path-traversal payload 3
- input: 'extractAllTo zip entry: ../../../../home/u/.ssh/id_rsa'
expected: triggered
description: path-traversal payload 4
- input: digest=../../../../proc/self/environ
expected: triggered
description: path-traversal payload 5
true_negatives:
- input: '#include "../../../../include/foo.h"'
expected: not_triggered
description: benign path/doc 1
- input: import "../../shared/utils"
expected: not_triggered
description: benign path/doc 2
- input: from ..models import User
expected: not_triggered
description: benign path/doc 3
- input: path = "../config/app.json"
expected: not_triggered
description: benign path/doc 4
- input: ssh-keygen -lf ~/.ssh/id_rsa
expected: not_triggered
description: benign path/doc 5
- input: The scanner flags /etc/passwd references
expected: not_triggered
description: benign path/doc 6
- input: relpath = "../../../build/output/lib.so"
expected: not_triggered
description: benign path/doc 7
更多 上下文外洩 規則
ATR-2026-00020highSystem Prompt and Internal Instruction LeakageATR-2026-00021criticalCredential and Secret Exposure in Agent OutputATR-2026-00075highAgent Memory ManipulationATR-2026-00102highData Exfiltration via Disguised Analytics CollectionATR-2026-00113criticalCredential File Theft from Agent Environment