CVE-2026-4270— AWS API MCP File Access Restriction Bypass
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-4270
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AWS API MCP File Access Restriction Bypass
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. To remediate this issue, users should upgrade to version 1.3.9.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对候选路径的不恰当保护
Source: NVD (National Vulnerability Database)
Vulnerability Title
Amazon Web Services API MCP Server 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Amazon Web Services API MCP Server是Amazon Web Services开源的一个大模型上下文服务器。 Amazon Web Services API MCP Server 0.2.14至1.3.9之前版本存在安全漏洞,该漏洞源于对备用路径的保护不当,可能导致绕过预期的文件访问限制,并在MCP客户端应用环境中暴露任意本地文件内容。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| AWS | AWS API MCP Server | 0.2.14 ~ 1.3.9 | - |
II. Public POCs for CVE-2026-4270
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-4270
请登录查看更多情报信息。
- CVE-2026-4270 - AWS API MCP File Access Restriction Bypassvendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-4270
IV. Related Vulnerabilities
Same vendor: AWS
- CVE-2026-7461
OS Command Injection in Amazon ECS Agent via FSx Windows Fil - CVE-2026-7426
Out-of-Bounds Write via Unsanitized Prefix Length in Router - CVE-2026-7425
Out-of-Bounds Read in Router Advertisement Option Parser in - CVE-2026-7424
Integer Underflow in DHCPv6 Sub-Option Parser in FreeRTOS-Pl - CVE-2026-7423
Integer Underflow in ICMP Echo Reply Processing in FreeRTOS-
V. Comments for CVE-2026-4270
No comments yet