Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
aws-mcp-server Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27968.
AnalysisAI
Remote code execution in aws-mcp-server 1.3.0 allows unauthenticated attackers to execute arbitrary commands via improper validation of the allowed commands list. The command injection flaw (CWE-78) enables system call execution without authentication barriers. With a CVSS score of 9.8 (critical severity) and EPSS probability of 1.01% (77th percentile), this represents a high-severity vulnerability with moderate real-world exploitation likelihood. No public exploit identified at time of analysis, and no active exploitation confirmed.
Technical ContextAI
This vulnerability affects the aws-mcp-server (Model Context Protocol server for AWS services), specifically version 1.3.0 per EUVD data. The flaw is rooted in CWE-78 (OS Command Injection), where the application fails to properly sanitize user-supplied input before passing it to system calls. The MCP server's allowed commands list mechanism lacks adequate input validation, enabling attackers to inject shell metacharacters or command separators that break out of intended command structures. When the server processes these malicious inputs, it executes attacker-controlled commands with the privileges of the MCP server process. This represents a classic command injection pattern where insufficiently validated data crosses a trust boundary into a system execution context, allowing arbitrary code execution on the underlying operating system.
RemediationAI
Organizations should immediately upgrade aws-mcp-server to a patched version beyond 1.3.0 if available from the vendor. Consult the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-246/ for specific patch guidance and vendor-released fix information. Until patching is complete, implement network-level access controls to restrict exposure of the MCP server to untrusted networks, deploy the server behind authentication gateways, and monitor system logs for suspicious command execution patterns. If the server must remain internet-accessible, implement strict input validation at perimeter security controls and consider deploying the service in a sandboxed or containerized environment with minimal privileges to limit the blast radius of potential exploitation. Review and harden the allowed commands list configuration to ensure only absolutely necessary commands are permitted, though this is a defense-in-depth measure and not a substitute for patching the underlying validation flaw.
More in Aws Mcp Server
View allSame weakness CWE-78 – OS Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21655
GHSA-fjwc-hc62-p8h9