Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context.
To remediate this issue, users should upgrade to version 1.3.9.
AnalysisAI
AWS API MCP Server versions 0.2.14 through 1.3.9 contain an improper path protection flaw in the no-access and workdir features that allows local attackers to bypass file access restrictions and read arbitrary files accessible to the MCP client application. An attacker with local access and user interaction can exploit this vulnerability to expose sensitive local file contents. Users should upgrade to version 1.3.9 or later to remediate this issue.
Technical ContextAI
The AWS API MCP Server (Model Context Protocol Server) is a Python-based library (cpe:2.3:a:aws:aws_api_mcp_server) that facilitates secure interaction between AI models and AWS APIs through a standardized protocol interface. The vulnerability stems from improper canonicalization or validation of file paths when the no-access and workdir restriction features are active, falling under CWE-424 (Improper Protection of Alternate Path), which classifies defects where alternate pathnames or representations bypass intended access controls. Affected versions 0.2.14 through 1.3.8 fail to properly normalize or validate user-supplied paths before enforcing directory boundaries, allowing techniques such as symbolic link traversal, path normalization tricks (e.g., '../' sequences, URL encoding, case variation), or other alternate path representations to escape the intended working directory sandbox and access files outside the restricted scope.
RemediationAI
Immediately upgrade AWS API MCP Server to version 1.3.9 or later via PyPI (https://pypi.org/project/awslabs.aws-api-mcp-server/1.3.9/), which resolves the path traversal bypass in the no-access and workdir features. For environments unable to patch immediately, implement filesystem-level access controls by running the MCP server process with minimal privilege (dedicated service account with read-only access to only necessary directories), enforce strict network segmentation to limit local access to trusted client applications, and apply OS-level sandboxing (seccomp, AppArmor, SELinux) to restrict file system syscalls. Conduct an audit of any MCP server instances deployed in the 0.2.14–1.3.8 range to identify potential information disclosure and review AWS credential exposure timelines.
Same weakness CWE-424 – Improper Protection of Alternate Path
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12474
GHSA-2cpp-j2fc-qhp7