CVE-2026-42080: Arbitrary File Write and Path Traversal in PPTAgent MCP Server

PPTAgent is an agentic framework designed to generate reflective PowerPoint presentations. The framework utilizes a Model Context Protocol (MCP) server to handle file operations and content generation. Versions of PPTAgent prior to commit 418491a9a1c02d9d93194b5973bb58df35cf9d00 fail to restrict user-supplied paths to intended workspace directories.

This vulnerability is classified as CWE-22, denoting the improper limitation of a pathname to a restricted directory. The flaw manifests in several file-handling utilities within the framework. Attackers with low-level privileges can provide crafted paths containing traversal sequences to write files to arbitrary locations on the host filesystem.

While the impact is constrained by the nature of the written files, the vulnerability exposes the host operating system to unintended file modifications. The CVSS v3.1 base score is 4.6, reflecting the medium severity of this issue. Exploitation requires user interaction, as the attack payload must be processed by the agent interface.

The root cause of this vulnerability lies in the direct use of unvalidated input for file system operations. Specifically, the save_generated_slides function in pptagent/mcp_server.py accepts a pptx_path parameter directly from the agent's context. The function wraps this input in a Python Path object but performs no sanitization or bounds checking.

Following the object creation, the code invokes pptx.parent.mkdir(parents=True, exist_ok=True) and subsequently saves the generated presentation. Because the absolute path or traversal sequences are not resolved against a secure base directory, the framework will create directories and write files wherever the user specifies. This mechanism is limited only by the operating system permissions assigned to the PPTAgent process.

A secondary manifestation of this flaw exists in the get_html_table_image function located in pptagent/utils.py. The output_path parameter is processed using os.path.split(), which similarly fails to restrict the destination directory. An independent but related security weakness was identified in pptagent/apis.py, where eval() was used without a restricted execution environment, presenting an expression injection risk.

The patch introduced in commit 418491a9a1c02d9d93194b5973bb58df35cf9d00 addresses the path traversal flaw by implementing a robust path resolution utility. The developers added the resolve_path_in_workspace function to pptagent/utils.py. This function normalizes the provided path and verifies its relationship to the intended workspace.

def resolve_path_in_workspace(path_str: str, workspace: Path | None = None) -> Path:
    workspace_root = (workspace or Path.cwd()).resolve()
    target = Path(path_str).resolve()
    if not target.is_relative_to(workspace_root):
        raise ValueError(f"Access denied: path outside allowed workspace: {workspace_root}")
    return target

The save_generated_slides function was subsequently updated to invoke this resolver before executing file operations. By utilizing Path.resolve(), the application computes the absolute path, effectively nullifying ../ traversal sequences. The is_relative_to() method then guarantees that the computed path strictly resides within the boundaries of the workspace_root.

Furthermore, the developers hardened the eval() usage in pptagent/apis.py. The execution context is now explicitly restricted by defining a safe global environment. By injecting SAFE_EVAL_GLOBALS = {"__builtins__": {}}, the application prevents attackers from accessing dangerous built-in Python functions during expression evaluation.

Exploitation of this vulnerability requires the attacker to supply a crafted payload to the MCP server. The attacker must interact with the agent interface and trigger the save_generated_slides capability. A successful exploit payload includes directory traversal sequences, structured similarly to ../../../../tmp/malicious.pptx.

Upon processing the payload, the vulnerable Python process resolves the relative path according to its current working directory. The mkdir function processes the traversal segment, creating any missing directories along the unintended path. The python-pptx library then generates the presentation and writes the payload to disk at the targeted location.

The attacker exercises limited control over the byte-level contents of the written file. Because the file is generated by the python-pptx library or image rendering utilities, the written structure is dictated by those specific binary formats. This constraint generally prevents the direct writing of executable scripts, such as shell scripts or Python files, minimizing the direct code execution risk.

The security impact of CVE-2026-42080 is evaluated as Medium, primarily due to the limited scope of the file write primitive. The vulnerability allows an attacker to manipulate the filesystem structure by creating nested directories and writing files. However, the inability to control the exact byte contents of the output restricts the potential for direct system compromise.

The CVSS v3.1 vector evaluates to CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L. Confidentiality remains unimpacted, as the flaw does not facilitate arbitrary file reading. Integrity is partially compromised because unauthorized files are created, but critical system binaries cannot be directly modified with executable attacker-controlled data.

Availability may suffer a partial impact if the attacker intentionally overwrites critical configuration files or service dependencies with the generated PowerPoint data. Such an action would corrupt the targeted files, potentially causing service outages for processes relying on them. The calculated EPSS score of 0.00036 indicates a very low likelihood of active exploitation in the wild within the immediate timeframe.

To remediate this vulnerability, organizations must update their PPTAgent deployments to incorporate commit 418491a9a1c02d9d93194b5973bb58df35cf9d00 or a subsequent release. This patch comprehensively addresses both the CWE-22 path traversal and the secondary expression injection risks. Code changes take effect upon fully restarting the MCP server process.

Security engineers should apply the principle of least privilege to the environment hosting the PPTAgent server. The operating system user executing the Python process must possess write permissions exclusively for the designated workspace directory. Restricting overarching filesystem permissions effectively mitigates the impact of potential bypasses in application-level path validation.

Network defenders can implement detection mechanisms to monitor for path traversal attempts. Internal network intrusion detection systems should flag payloads containing traversal patterns like ../ or absolute file paths directed at the MCP server. Regular security audits of agentic frameworks are strongly recommended to identify similar input validation weaknesses.