AWS API MCP File Access Restriction Bypass
Description
Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context.
To remediate this issue, users should upgrade to version 1.3.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-4270 allows bypass of file access restrictions in AWS API MCP Server versions 0.2.14 to 1.3.9, exposing arbitrary local files to MCP clients arbitrary local file contents.
Vulnerability
Overview
The AWS API MCP Server is an open-source Model Context Protocol (MCP) server that enables AI assistants to interact with AWS services through CLI commands. It includes a configurable file access feature that controls how AWS CLI commands interact with the local file system. By default, file operations are restricted to a designated working directory (workdir), but this can be configured to allow unrestricted access or to block all local file path arguments (no-access). CVE-2026-4270 is an Improper Protection of Alternate Path vulnerability in the no-access and workdir and no-access features of the server, affecting versions >= 0.2.14 and < 1.3.9 on all platforms [1][2][3].
Exploitation
The vulnerability allows an attacker to bypass the intended file access restrictions by using alternate paths that are not properly validated. This can be exploited without authentication, as the MCP server may be exposed to untrusted inputs. The attack surface is the MCP client application context, where arbitrary local file contents can be exposed [3][4].
Impact
Successful exploitation could lead to the exposure of arbitrary local file contents to the MCP client application, potentially leaking sensitive information such as configuration files, credentials, or other data stored on the host system [2][3].
Mitigation
The issue has been addressed in version 1.3.9 of the AWS API MCP Server. Users are strongly recommended to upgrade to this version or later. No workarounds are available [3][available [3][4]. The vulnerability is also tracked as GHSA-2cpp-j2fc-qhp7 [4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
awslabs.aws-api-mcp-serverPyPI | >= 0.2.14, < 1.3.9 | 1.3.9 |
Affected products
2- Range: >= 0.2.14, < 1.3.9
- AWS/AWS API MCP Serverv5Range: 0.2.14
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- pypi.org/project/awslabs.aws-api-mcp-server/1.3.9/mitrepatch
- aws.amazon.com/security/security-bulletins/2026-007-AWS/mitrevendor-advisory
- github.com/advisories/GHSA-2cpp-j2fc-qhp7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-4270ghsaADVISORY
- aws.amazon.com/security/security-bulletins/2026-007-AWSghsaWEB
- github.com/awslabs/mcp/security/advisories/GHSA-2cpp-j2fc-qhp7ghsaWEB
- pypi.org/project/awslabs.aws-api-mcp-server/1.3.9ghsaWEB
News mentions
0No linked articles in our index yet.