AWS MCP Server 0.2.141.3.9 Improper AlternatePath File Access
CVE-2026-4270 Published on March 16, 2026

AWS API MCP File Access Restriction Bypass
Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. To remediate this issue, users should upgrade to version 1.3.9.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-4270 is exploitable with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Type

Improper Protection of Alternate Path

The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.


Products Associated with CVE-2026-4270

Want to know whenever a new CVE is published for Amazon Aws? stack.watch will email you.

Amazon Aws
 

Affected Versions

AWS API MCP Server: