QSearchQSearch

CVE-2026-4270

5.5 MEDIUM

Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3....

Published: 2026-03-16 · Last updated: 2026-05-21

Severity and scoring

CVSS
5.5 MEDIUM
Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CWE
CWE-424

Affected products

VendorProduct
amazonaws_api_mcp_server

Description

Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. To remediate this issue, users should upgrade to version 1.3.9.

Source: NVD

References

Related CVEs

Same vendor

  • CVE-2026-10591 Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated... (8.8 HIGH)
  • CVE-2026-9255 Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary t... (7.8 HIGH)
  • CVE-2026-31431 In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly r... (7.8 HIGH)
  • CVE-2026-6437 Improper neutralization of argument delimiters in the volume handling component in AWS EFS CSI Driver (aws-efs-csi-driver) before v3.0.1 ... (6.5 MEDIUM)
  • CVE-2026-5747 An out-of-bounds write issue in the virtio PCI transport in Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 might allo... (7.5 HIGH)

Same CWE

  • CVE-2026-0268 A security control bypass vulnerability in Prisma Access Agent for Linux allows a local attacker to route network traffic outside the VPN...
  • CVE-2024-8781 Execution with Unnecessary Privileges, : Improper Protection of Alternate Path vulnerability in TR7 Application Security Platform (ASP) a...