CVE-2026-4270

Q: What is the CVSS score of CVE-2026-4270?

CVE-2026-4270 has a CVSS 4.0 base score of 6.8 (Medium). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

Q: How to fix or mitigate CVE-2026-4270?

Within 30 days: Identify affected systems running the no-access and workdir feature of the AWS API MCP Server and apply vendor patches as part of regular patch cycle. Vendor patch is available.

EUVD-2026-12474 MEDIUM

Improper Protection of Alternate Path (CWE-424)

2026-03-16 AMZN

GHSA-2cpp-j2fc-qhp7

Authentication Bypass

6.8

CVSS 4.0

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

CVSS changed

May 21, 2026 - 16:07 NVD

5.5 (MEDIUM) 6.8 (MEDIUM)

EUVD ID Assigned

Mar 16, 2026 - 17:19 euvd

EUVD-2026-12474

Analysis Generated

Mar 16, 2026 - 17:19 vuln.today

Patch released

Mar 16, 2026 - 17:19 nvd

Patch available

CVE Published

Mar 16, 2026 - 16:07 nvd

MEDIUM 5.5

DescriptionNVD

Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context.

To remediate this issue, users should upgrade to version 1.3.9.

AnalysisAI

AWS API MCP Server versions 0.2.14 through 1.3.9 contain an improper path protection flaw in the no-access and workdir features that allows local attackers to bypass file access restrictions and read arbitrary files accessible to the MCP client application. An attacker with local access and user interaction can exploit this vulnerability to expose sensitive local file contents. …

RemediationAI

Within 30 days: Identify affected systems running the no-access and workdir feature of the AWS API MCP Server and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-4270 vulnerability details – vuln.today

Back

CVE-2026-4270

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

CVE-2026-4270

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code