AWS MCP Server Flaws Expose File Read and Remote Code Execution Risks
Researchers disclosed multiple security flaws affecting AWS MCP components, including a local file inclusion bug in the AWS Remote MCP Server and a critical command injection issue in aws-mcp-server. Varonis said authenticated users could abuse AWS CLI shorthand syntax, specifically the @= operator passed through the aws___call_aws tool, to read arbitrary files from the underlying host even when FileAccessMode=NO_ACCESS was enabled. AWS assigned CVE-2026-4270 to the file access restriction bypass and said the issue was fixed in aws-api-mcp-server version 1.3.9; the exposure affected the public endpoint aws-mcp.us-east-1.api.aws as well as self-hosted or forked deployments.
A separate flaw, tracked as CVE-2026-5058 and published by Trend Micro's Zero Day Initiative as ZDI-26-246, allows unauthenticated remote code execution in aws-mcp-server because user-supplied input in the allowed-commands list is not properly validated before being used in a system call. ZDI rated the bug CVSS 9.8 and said successful exploitation lets attackers run arbitrary code in the MCP server context; the advisory was released as a 0-day after the vendor rejected the report. The disclosures landed alongside another AWS bulletin for CVE-2026-4269, an improper S3 ownership verification issue in the Bedrock AgentCore Starter Toolkit, underscoring broader security concerns around MCP-related tooling and the need for immediate patching and review of derivative implementations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
CVE record published for aws-mcp-server command injection
A CVE entry for CVE-2026-5058 was published, describing the aws-mcp-server command injection vulnerability as leading to unauthenticated remote code execution. The record linked the issue to ZDI-CAN-27968 and ZDI-26-246.
ZDI publishes aws-mcp-server flaw CVE-2026-5059 as zero day
ZeroPath reports that ZDI disclosed a separate unauthenticated command injection flaw in the community-maintained aws-mcp-server, tracked as CVE-2026-5059 and advisory ZDI-26-245, after reporting it in September 2025 and vendor rejection in December 2025. The issue affects version 1.3.0, can enable full remote code execution, and had no patch available at the time.
ZDI publishes aws-mcp-server flaw as 0-day after vendor rejection
After multiple follow-ups and vendor rejection, Zero Day Initiative published ZDI-26-246 for the aws-mcp-server command injection flaw as a 0-day advisory. The vulnerability, later tracked as CVE-2026-5058, allows unauthenticated remote code execution in the context of the MCP server.
AWS fixes CVE-2026-4270 in aws-api-mcp-server 1.3.9
AWS fixed the file inclusion issue tracked as CVE-2026-4270 in aws-api-mcp-server version 1.3.9. Varonis noted the flaw could expose sensitive files, credentials, secrets, and execution-environment details, and recommended immediate upgrades.
Varonis discloses LFI in AWS Remote MCP Server
Varonis Threat Labs disclosed a local file inclusion vulnerability in the AWS Remote MCP Server caused by AWS CLI shorthand syntax and the `@=` operator passing through the `aws___call_aws` tool. The issue allowed authenticated users to read arbitrary files from the server and was assigned CVE-2026-4270.
Proofpoint discloses CursorJack deeplink exploitation technique
Proofpoint Threat Research described 'CursorJack,' a proof-of-concept technique abusing Cursor IDE's cursor:// MCP deeplink installation flow to socially engineer users into approving malicious MCP server installs. In controlled tests, the chain could lead to arbitrary command execution with the user's privileges or installation of a malicious remote MCP server after user interaction.
AWS publishes advisory for CVE-2026-4269
AWS published a security bulletin for CVE-2026-4269 covering improper S3 ownership verification in the Bedrock AgentCore Starter Toolkit. This made the vulnerability publicly known through an AWS product advisory.
AWS publishes advisory for CVE-2026-4270
AWS published a security bulletin for CVE-2026-4270, identified as an AWS API MCP file access restriction bypass. The advisory marks public disclosure of the issue by AWS.
ZDI reports aws-mcp-server command injection to vendor
Trend Micro's Zero Day Initiative reported a command injection remote code execution vulnerability in aws-mcp-server, tracked as ZDI-CAN-27968 and later CVE-2026-5058, to the vendor in September 2025. The issue involved improper validation of a user-supplied string in the allowed commands list before use in a system call.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
CVE-2026-5058 - aws-mcp-server Command Injection Remote Code Execution Vulnerability
cvefeed.io
Open sourceBrief Summary: CVE-2026-5059 - Unauthenticated Command Injection in aws-mcp-server Enables Full Remote Code Execution - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceVaronis Discovers Local File Inclusion in AWS Remote MCP Server via CLI Shorthand Syntax
varonis.com
Open sourceCursorJack: weaponizing Deeplinks to exploit Cursor IDE | Proofpoint US
proofpoint.com
Open sourceCVE-2026-4270 - AWS API MCP File Access Restriction Bypass
aws.amazon.com
Open sourceCVE-2026-4269 - Improper S3 ownership verification in Bedrock AgentCore Starter Toolkit
aws.amazon.com
Open sourceZDI-26-246 | Zero Day Initiative
zerodayinitiative.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Unauthenticated RCE Flaws Expose Veeam Backup & Recovery and Node.js MCP Server
Two critical vulnerabilities were disclosed that allow **unauthenticated remote code execution** against exposed systems. `CVE-2024-40711` affects **Veeam Backup & Recovery** and stems from **deserialization of untrusted data**, enabling remote compromise when an attacker can deliver a crafted payload to a vulnerable instance. The flaw puts backup infrastructure at particular risk because successful exploitation could give attackers direct access to systems designed to store and manage recovery data. A separate flaw, `GHSA-V6WJ-C83F-V46X`, impacts the `domain_lookup` module in **`@profullstack/mcp-server`** and is described as an **OS command injection** vulnerability with a **CVSS 9.8** rating. Exploitation allows attackers to execute commands with the privileges of the Node.js process, exposing source code, configuration files, environment variables, database credentials, and cryptographic keys, while also enabling persistence, malware deployment, service termination, and broader lateral movement. Together, the disclosures highlight continued risk from internet-exposed enterprise software and developer tooling that process untrusted input without adequate safeguards.
May 13, 2026
Microsoft Discloses Critical Azure MCP Server and AKS Authentication Flaws
Microsoft disclosed two high-severity vulnerabilities affecting hosted Azure services: **CVE-2026-32211** in **Azure MCP Server** and **CVE-2026-33105** in **Azure Kubernetes Service (AKS)**. The Azure MCP Server issue is an information disclosure flaw tied to **missing authentication for a critical function** (`CWE-306`), allowing an unauthenticated attacker to access sensitive information over the network. Its CVSS v3.1 vector, `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`, indicates remote exploitation with no privileges or user interaction required. Microsoft also published **CVE-2026-33105**, an **improper authorization** vulnerability in AKS mapped to `CWE-285`, which could let an unauthenticated attacker **elevate privileges** remotely. The CVSS v3.1 vector, `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H`, reflects potential high impact across confidentiality, integrity, and availability. Both entries were identified as affecting **exclusively hosted services** and point defenders to Microsoft’s MSRC advisories for service-specific remediation and exposure assessment.
Apr 3, 2026
Anthropic MCP STDIO Design Flaw Enables RCE Across AI Tooling
Researchers at **OX Security** disclosed a design-level weakness in Anthropic’s **Model Context Protocol (MCP)** that can allow **arbitrary OS command execution** through unsafe `STDIO` transport behavior, creating a broad AI supply-chain risk. The flaw is reported to propagate through Anthropic’s official MCP SDKs into downstream tools and agents, with researchers linking it to at least **10 high- and critical-severity vulnerabilities** across widely used projects. Reported impacts include exposure of sensitive data such as API keys, chat histories, internal databases, and developer workstations, while estimates of exposure range from more than **7,000 publicly accessible servers** to as many as **200,000 servers** potentially at risk. Affected or cited projects include **LangFlow, Flowise, GPT Researcher, Upsonic, Windsurf, Claude Code, Cursor, Gemini-CLI, GitHub Copilot, LiteLLM,** and **LettaAI**. OX Security said it began reporting the issue to Anthropic in late 2025, but Anthropic reportedly treated the behavior as expected and responded by updating security guidance rather than changing the protocol architecture. Researchers described four main abuse paths: direct command injection, hardening bypass, zero-click or near-zero-click prompt injection in AI IDEs and coding assistants, and malicious MCP marketplace submissions that can execute commands on developer machines; they urged organizations to restrict public exposure, sandbox MCP-enabled services, treat external MCP configurations as untrusted, monitor MCP tool use, and install MCP servers only from verified sources.
May 1, 2026