Skip to main content

Aws Mcp Server EUVDEUVD-2026-21655

| CVE-2026-5058 CRITICAL
OS Command Injection (CWE-78)
2026-04-11 zdi GHSA-fjwc-hc62-p8h9
9.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Apr 11, 2026 - 01:00 euvd
EUVD-2026-21655
Analysis Generated
Apr 11, 2026 - 01:00 vuln.today
CVE Published
Apr 11, 2026 - 00:14 nvd
CRITICAL 9.8

DescriptionCVE.org

aws-mcp-server Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27968.

AnalysisAI

Remote code execution in aws-mcp-server 1.3.0 allows unauthenticated attackers to execute arbitrary commands via improper validation of the allowed commands list. The command injection flaw (CWE-78) enables system call execution without authentication barriers. With a CVSS score of 9.8 (critical severity) and EPSS probability of 1.01% (77th percentile), this represents a high-severity vulnerability with moderate real-world exploitation likelihood. No public exploit identified at time of analysis, and no active exploitation confirmed.

Technical ContextAI

This vulnerability affects the aws-mcp-server (Model Context Protocol server for AWS services), specifically version 1.3.0 per EUVD data. The flaw is rooted in CWE-78 (OS Command Injection), where the application fails to properly sanitize user-supplied input before passing it to system calls. The MCP server's allowed commands list mechanism lacks adequate input validation, enabling attackers to inject shell metacharacters or command separators that break out of intended command structures. When the server processes these malicious inputs, it executes attacker-controlled commands with the privileges of the MCP server process. This represents a classic command injection pattern where insufficiently validated data crosses a trust boundary into a system execution context, allowing arbitrary code execution on the underlying operating system.

RemediationAI

Organizations should immediately upgrade aws-mcp-server to a patched version beyond 1.3.0 if available from the vendor. Consult the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-246/ for specific patch guidance and vendor-released fix information. Until patching is complete, implement network-level access controls to restrict exposure of the MCP server to untrusted networks, deploy the server behind authentication gateways, and monitor system logs for suspicious command execution patterns. If the server must remain internet-accessible, implement strict input validation at perimeter security controls and consider deploying the service in a sandboxed or containerized environment with minimal privileges to limit the blast radius of potential exploitation. Review and harden the allowed commands list configuration to ensure only absolutely necessary commands are permitted, though this is a defense-in-depth measure and not a substitute for patching the underlying validation flaw.

Share

EUVD-2026-21655 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy