CVE-2026-4270 - AWS API MCP File Access Restriction Bypass
Bulletin ID: 2026-007-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/03/16 09:15 AM PDT Description: The AWS API MCP Server is an open source Model Context Protocol (MCP) server that enables AI assistants to interact with AWS services and resources through AWS CLI commands. It provides programmatic access to manage your AWS infrastructure while maintaining proper security controls. This server acts as a bridge between AI assistants and AWS services, allowing you to create, update, and manage AWS resources across all available services. The server includes a configurable file access feature that controls how AWS CLI commands interact with the local file system. By default, file operations are restricted to a designated working directory (workdir), but this can be configured to allow unrestricted file system access (unrestricted) or to block all local file path arguments entirely (no-access). We identified CVE-2026-4270: Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. Impacted versions: awslabs.aws-api-mcp-server >= 0.2.14, < 1.3.9 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
CSIRTS triage
- What
- A file access restriction bypass could allow unrestricted file system access.
- Who is affected
- Users of the AWS API MCP Server.
- Urgency
- Remediation is important to maintain proper security controls.
- Action
- Review and configure file access settings appropriately.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch AWS API MCP Server
Get an email when a new AWS API MCP Server advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-007-aws/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-42700.13% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 3% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-4270 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for - AWS API
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- mediumCVE-2026-55187: Mailpit is an email testing tool and API for developers. Prior to 1.30.2, the remediation ship…nvd · 2026-07-10
- unknownCVE-2026-49844: Improper encoding of non-finite floating-point values during MapMessage JSON serialization in …nvd · 2026-07-10
- unknownCVE-2026-48127: Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without…nvd · 2026-07-10
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …ghsa · 2026-07-10
- mediumCVE-2026-57230: OpenReplay is a self-hosted session replay suite. Prior to 1.27.0, the session search and anal…nvd · 2026-07-10
- unknownCVE-2026-57212: RabbitMQ is a messaging and streaming broker. Prior to 3.13.14, 4.0.19, 4.1.10, and 4.2.5, the…nvd · 2026-07-10
More from AWS Security Bulletins
- unknownCVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio2026-07-07
- unknownCVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-…2026-07-06
- unknownCVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin2026-07-01
- unknownCVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib2026-07-01
- unknownCVE-2026-13769 – Insecure file permissions in AWS CLI2026-07-01