Is Aws Api Mcp Server affected by EUVD-2026-12474?

Organizations using the no-access and workdir feature of the AWS API MCP Server should be aware of moderate risk from CVE-2026-4270 rated CVSS 5.5. Exploitation could compromise the security of affected deployments. A patch is available and should be applied during regular vulnerability management.

EUVD-2026-12474

Q: How to fix EUVD-2026-12474?

Within 30 days: Identify affected systems running the no-access and workdir feature of the AWS API MCP Server and apply vendor patches as part of regular patch cycle. Vendor patch is available.

| CVE-2026-4270 MEDIUM

2026-03-16 AMZN

GHSA-2cpp-j2fc-qhp7

5.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 17:19 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 17:19 euvd

EUVD-2026-12474

Patch Released

Mar 16, 2026 - 17:19 nvd

Patch available

CVE Published

Mar 16, 2026 - 16:07 nvd

MEDIUM 5.5

Description

Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. To remediate this issue, users should upgrade to version 1.3.9.

Analysis

AWS API MCP Server versions 0.2.14 through 1.3.9 contain an improper path protection flaw in the no-access and workdir features that allows local attackers to bypass file access restrictions and read arbitrary files accessible to the MCP client application. An attacker with local access and user interaction can exploit this vulnerability to expose sensitive local file contents. …

Remediation

Within 30 days: Identify affected systems running the no-access and workdir feature of the AWS API MCP Server and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +28

POC: 0

EUVD-2026-12474 vulnerability details – vuln.today

Back

EUVD-2026-12474

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-12474

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code