Critical 0-Day in aws-mcp-server Allows Unauthenticated RCE; Vendor Rejects Report
A critical command injection vulnerability in aws-mcp-server, CVE-2026-5058, allows unauthenticated remote code execution with a CVSS score of 9.8, and the vendor has rejected the report, leaving no patch available.
A critical zero-day vulnerability has been disclosed in aws-mcp-server, a component of the AWS Model Context Protocol (MCP) server. Tracked as CVE-2026-5058 and assigned a CVSS score of 9.8, the flaw allows unauthenticated remote attackers to execute arbitrary code on affected installations. The vulnerability was reported by researchers Alfredo Oliveira and David Fiser of Trend Research and published by the Zero Day Initiative (ZDI) on March 30, 2026, as advisory ZDI-26-246.
The specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Because authentication is not required, any internet-exposed instance of aws-mcp-server is potentially at risk of complete compromise.
The disclosure timeline reveals a troubling response from the vendor. ZDI submitted the report on September 3, 2025, but the vendor did not acknowledge receipt until prompted in October. After multiple follow-ups, the vendor rejected the vulnerability on December 15, 2025, claiming it was not a valid issue. ZDI provided additional technical details in February 2026, but the vendor again declined to act, leading ZDI to publish the advisory as a 0-day on March 30, 2026.
With no patch available, the only mitigation recommended by ZDI is to restrict interaction with the product. This effectively means limiting network access to the MCP server to trusted hosts only, or disabling the service entirely if it is not essential. Organizations using aws-mcp-server should immediately assess their exposure and implement network-level controls to prevent exploitation.
The impact of this vulnerability is severe. The MCP server is used to facilitate communication between AI agents and external tools, making it a critical component in modern AI-driven workflows. A successful exploit could allow an attacker to take full control of the server, potentially leading to data theft, lateral movement, or further compromise of connected systems.
This incident highlights a growing concern in the cybersecurity community: vendors rejecting legitimate vulnerability reports without proper investigation. The decision to publish as a 0-day advisory is a last resort for researchers when vendors fail to respond or dismiss findings. In this case, the high severity of the flaw and the lack of a patch leave users in a precarious position, relying solely on manual mitigations.
As AI and MCP-based architectures become more prevalent, vulnerabilities in their foundational components will attract increasing attention from attackers. The aws-mcp-server 0-day serves as a stark reminder that even critical infrastructure components can be left exposed when vendors do not prioritize security disclosures. Organizations should monitor ZDI advisories and consider alternative solutions until a patch is made available.