Skip to main content

Aws Mcp Server CVE-2026-5059

| EUVDEUVD-2026-21656 CRITICAL
OS Command Injection (CWE-78)
2026-04-11 zdi GHSA-fgmx-xfp3-w28p
9.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 11, 2026 - 01:00 euvd
EUVD-2026-21656
Analysis Generated
Apr 11, 2026 - 01:00 vuln.today
CVE Published
Apr 11, 2026 - 00:15 nvd
CRITICAL 9.8

DescriptionCVE.org

aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27969.

AnalysisAI

Remote code execution in aws-mcp-server 1.3.0 allows unauthenticated attackers to execute arbitrary commands via command injection in the allowed commands list handler. The vulnerability stems from improper validation of user-supplied strings before system call execution, enabling attackers to run code in the MCP server context with no authentication required. EPSS score of 1.01% (77th percentile) indicates low observed exploitation probability; no public exploit identified at time of analysis.

Technical ContextAI

This vulnerability affects aws-mcp-server version 1.3.0, specifically in the allowed commands list processing mechanism. The root cause is classified as CWE-78 (OS Command Injection), where user-controlled input is passed unsanitized to system shell execution functions. The aws-mcp-server appears to be a Model Context Protocol (MCP) server implementation for AWS CLI integration. The flaw allows attackers to break out of intended command constraints by injecting shell metacharacters or command separators into parameters that are subsequently executed by the underlying operating system. The vulnerability was identified and reported by ZDI (Zero Day Initiative) as ZDI-CAN-27969 and publicly disclosed as ZDI-26-245, indicating responsible disclosure through their program.

RemediationAI

Organizations running aws-mcp-server 1.3.0 should immediately upgrade to a patched version if available from the vendor. Consult the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-245/ for vendor patch information and specific remediation guidance. As an interim workaround, restrict network access to the MCP server to trusted IP addresses only, implement application-level firewalling to validate input parameters, or disable the affected allowed commands list functionality if operationally feasible. Given the unauthenticated remote code execution risk, deployment of this version should be avoided until vendor confirmation of remediation is obtained. Monitor vendor security advisories for official patch releases and apply them immediately upon availability.

Share

CVE-2026-5059 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy