Command injection yields unauthenticated RCE in aws-mcp-server
TL;DR — A command-injection flaw in aws-mcp-server’s “allowed commands” handling can let unauthenticated attackers execute arbitrary code in the MCP server context.
What happened
aws-mcp-server is an MCP (Model Context Protocol) service intended to let AI assistants execute AWS CLI commands on a user’s behalf. CVE-2026-5058 describes a Critical command-injection vulnerability where the server’s handling of an “allowed commands” list fails to properly validate a user-supplied string before it is used in a system call, enabling remote code execution without authentication.
| Item | Source value |
|---|---|
| Affected software | aws-mcp-server |
| Impact | Remote Code Execution (RCE) via OS command injection |
| Attack preconditions | Remote, no authentication required |
| Severity | CVSS v3.0 9.8 (CRITICAL) |
| Weakness | CWE-78 (OS Command Injection) |
| Affected versions (CVE record) | 1.3.0 is listed as affected (other versions are not explicitly enumerated; defaultStatus is unknown) |
This is an appsec-relevant, high-leverage break because MCP servers often sit at a trust boundary between an AI client and high-privilege automation (here, AWS CLI + credentials). If reachable by untrusted clients, an RCE in this layer can quickly become a full cloud control-plane compromise.
Who is impacted
- Deployments running
aws-mcp-serverwhere the MCP service is reachable by untrusted clients or exposed beyond a local workstation boundary. - Environments where the MCP server process has access to AWS credentials (e.g., environment variables,
~/.aws/credentials, instance role metadata, CI secrets) and can invokeawscommands. - Teams using the version explicitly listed as affected in the CVE record (
1.3.0), plus any deployments that cannot confirm whether they’re on an unaffected build (the CVE record does not provide a complete affected range).
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing (the CVE record does not specify a fixed version).
- Treat this as an internet-exposure emergency: ensure
aws-mcp-serveris not publicly reachable, and restrict access to trusted local clients only (firewall/bind-to-loopback/allowlist). - Reduce blast radius until you can patch:
- Run the service with the minimum OS privileges possible.
- Constrain AWS permissions for credentials available to the MCP server (least-privilege IAM, short-lived credentials where feasible).
- If compromise is suspected, assume AWS credential exposure:
- Rotate AWS access keys / session credentials available to the host.
- Review CloudTrail (and local process logs) for unexpected
awsCLI activity originating from the MCP server environment.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.