aws-mcp-server Command Injection Remote Code Execution Vulnerability

Vulnerability

A command injection vulnerability allowing remote code execution has been identified in aws-mcp-server. This issue arises from improper validation of user-supplied strings in the allowed commands list, which can be exploited to execute arbitrary code on the server running aws-mcp-server. Notably, authentication is not required to exploit this vulnerability.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected server, with the executed code running in the context of the MCP server.

Added: Apr 11, 2026, 1:19 AM

Updated: Apr 11, 2026, 1:19 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

5.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

5.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

aws-mcp-server Command Injection Remote Code Execution Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating