Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27969.
AnalysisAI
Remote code execution in aws-mcp-server 1.3.0 allows unauthenticated attackers to execute arbitrary commands via command injection in the allowed commands list handler. The vulnerability stems from improper validation of user-supplied strings before system call execution, enabling attackers to run code in the MCP server context with no authentication required. EPSS score of 1.01% (77th percentile) indicates low observed exploitation probability; no public exploit identified at time of analysis.
Technical ContextAI
This vulnerability affects aws-mcp-server version 1.3.0, specifically in the allowed commands list processing mechanism. The root cause is classified as CWE-78 (OS Command Injection), where user-controlled input is passed unsanitized to system shell execution functions. The aws-mcp-server appears to be a Model Context Protocol (MCP) server implementation for AWS CLI integration. The flaw allows attackers to break out of intended command constraints by injecting shell metacharacters or command separators into parameters that are subsequently executed by the underlying operating system. The vulnerability was identified and reported by ZDI (Zero Day Initiative) as ZDI-CAN-27969 and publicly disclosed as ZDI-26-245, indicating responsible disclosure through their program.
RemediationAI
Organizations running aws-mcp-server 1.3.0 should immediately upgrade to a patched version if available from the vendor. Consult the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-245/ for vendor patch information and specific remediation guidance. As an interim workaround, restrict network access to the MCP server to trusted IP addresses only, implement application-level firewalling to validate input parameters, or disable the affected allowed commands list functionality if operationally feasible. Given the unauthenticated remote code execution risk, deployment of this version should be avoided until vendor confirmation of remediation is obtained. Monitor vendor security advisories for official patch releases and apply them immediately upon availability.
More in Aws Mcp Server
View allSame weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21656
GHSA-fgmx-xfp3-w28p