{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5059", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-03-27T18:10:12.060Z", "datePublished": "2026-04-11T00:15:02.920Z", "dateUpdated": "2026-04-13T17:30:38.053Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:15:02.920Z"}, "title": "aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability", "descriptions": [{"lang": "en", "value": "aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27969."}], "affected": [{"vendor": "aws-mcp-server", "product": "aws-mcp-server", "versions": [{"version": "1.3.0", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-245/", "name": "ZDI-26-245", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-27T18:10:12.085Z", "datePublic": "2026-03-30T18:01:51.011Z", "source": {"lang": "en", "value": "Alfredo Oliveira and David Fiser of Trend Research"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T17:27:51.909223Z", "id": "CVE-2026-5059", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:30:38.053Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5059", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T17:27:51.909223Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:30:33.975Z"}}], "cna": {"title": "aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability", "source": {"lang": "en", "value": "Alfredo Oliveira and David Fiser of Trend Research"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "aws-mcp-server", "product": "aws-mcp-server", "versions": [{"status": "affected", "version": "1.3.0"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-30T18:01:51.011Z", "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-245/", "name": "ZDI-26-245", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-27T18:10:12.085Z", "descriptions": [{"lang": "en", "value": "aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27969."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:15:02.920Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5059", "state": "PUBLISHED", "dateUpdated": "2026-04-13T17:30:38.053Z", "dateReserved": "2026-03-27T18:10:12.060Z", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "datePublished": "2026-04-11T00:15:02.920Z", "assignerShortName": "zdi"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27969."}], "id": "CVE-2026-5059", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-04-11T01:16:18.293", "references": [{"source": "zdi-disclosures@trendmicro.com", "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-245/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.3.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "aws-mcp-server", "source": "cna", "vendor": "aws-mcp-server"}, "product": "aws-mcp-server", "vendor": "aws"}], "analysis": {"en": {"generated_at": "2026-04-11T02:52:47.455325+00:00", "value": {"mitigation_remediation": ["Apply the vendor's patch for aws-mcp-server that addresses the command injection flaw.", "If no patch is yet available, configure the MCP server to use a strict whitelist of allowed commands and reject everything else.", "Restrict network access to the MCP server with firewall rules or access control lists to limit reachability.", "Monitor logs for attempts to invoke the command execution functionality and investigate suspicious activity.", "Ensure any remaining user-supplied command strings are adequately sanitized before being passed to the operating system."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is aws-mcp-server. No explicit version information is provided in the CVE entry, so all installations of aws-mcp-server that have not applied a vendor-supplied fix are considered vulnerable. The flaw impacts deployments that rely on the command execution feature without additional safeguards.", "description_and_impact": "The reported flaw lies in the handling of the command whitelist within aws-mcp-server. An attacker can supply an arbitrary string that bypasses validation and is directly passed to a system call. This allows execution of arbitrary code with the privileges of the MCP server, constituting a remote code execution vulnerability.", "risk_and_exploitability": "The vulnerability does not require authentication and can be triggered from any network location that can reach the MCP server, making the attack surface large. The high CVSS score of 9.8 reflects the potential for complete system compromise. Because there is no EPSS score and the issue is not listed in the CISA KEV catalog, the chance of public exploitation remains uncertain, but the combination of high severity and unauthenticated access indicates a high-risk threat."}}}}, "created": "2026-04-13T12:42:17.189461+00:00", "updated": "2026-04-13T12:57:03.367409+00:00", "vendors": ["aws", "aws$PRODUCT$aws-mcp-server"]}