Critical Zero-Day in aws-mcp-server Allows Unauthenticated RCE After Vendor Rejects Report
A critical command injection vulnerability (CVE-2026-5059, CVSS 9.8) in aws-mcp-server allows unauthenticated remote code execution, with the vendor rejecting the report and leaving users exposed.
A critical zero-day vulnerability has been disclosed in aws-mcp-server, a tool that integrates AWS CLI capabilities into the Model Context Protocol (MCP) ecosystem. Tracked as CVE-2026-5059 and assigned a CVSS score of 9.8, the flaw allows unauthenticated remote attackers to execute arbitrary code on affected installations. The advisory, published by Trend Micro's Zero Day Initiative (ZDI) on April 21, 2026, reveals that the vendor rejected the vulnerability report, leaving users without an official patch and at significant risk.
The vulnerability resides in how aws-mcp-server handles the allowed commands list. Specifically, the software fails to properly validate user-supplied strings before passing them to a system call. This command injection flaw enables an attacker to craft a malicious request that, when processed by the MCP server, executes arbitrary operating system commands. Because no authentication is required, any network-accessible instance of aws-mcp-server is potentially exploitable, making this a severe threat to cloud-native development environments and CI/CD pipelines that rely on MCP-based agentic workflows.
The disclosure timeline highlights a troubling breakdown in coordinated vulnerability disclosure. ZDI initially submitted the report to the vendor on September 3, 2025. After multiple follow-ups—including requests to confirm receipt on October 27, 2025, and updates on November 6, 2025—the vendor formally rejected the vulnerability on December 15, 2025. ZDI provided additional technical details on February 20, 2026, and again notified the vendor of its intent to publish a 0-day advisory on March 9, 2026. With no patch forthcoming, ZDI released the full advisory on April 21, 2026, crediting researchers Alfredo Oliveira and David Fiser of Trend Research.
The impact of this vulnerability is amplified by the broader context of AI agent security. aws-mcp-server is part of the growing ecosystem of MCP servers that allow large language models (LLMs) and autonomous agents to interact with external tools and services. As organizations increasingly deploy AI agents to automate cloud operations, vulnerabilities in the underlying MCP infrastructure can have cascading effects. An attacker exploiting CVE-2026-5059 could gain full control of the MCP server, potentially accessing AWS credentials, manipulating cloud resources, or pivoting to other systems within the network.
Given the vendor's rejection of the report, no official patch or mitigation is available. ZDI's advisory recommends restricting interaction with the product as the only salient mitigation strategy. This may involve blocking network access to aws-mcp-server instances, implementing strict firewall rules, or isolating the server in a segmented network environment. Organizations using aws-mcp-server should also monitor for signs of exploitation, such as unexpected system calls or anomalous network traffic.
The disclosure of CVE-2026-5059 as a 0-day underscores the growing tension between security challenges posed by rapidly adopted AI infrastructure components. As the line between development tools and production systems blurs, vulnerabilities in MCP servers and similar agentic middleware can have outsized impact. This incident also highlights the importance of vendor responsiveness; when vendors reject legitimate vulnerability reports, the security community must rely on public advisories to protect users, even at the cost of increased short-term risk.