AWS — API MCP File Access Restriction Bypass (CVE-2026-4270)
AWS disclosed and patched CVE-2026-4270 in the AWS API MCP Server, where alternate-path handling could bypass file-access restrictions and expose arbitrary local file contents to the MCP client context.
- The affected package is
awslabs.aws-api-mcp-server, with vulnerable versions>=0.2.14and<1.3.9. - The bug sits in the server’s file access controls for
no-accessandworkdirmodes, which are meant to constrain local file path usage. - AWS classifies the weakness as
CWE-424(Improper Protection of Alternate Path), meaning path validation could be bypassed under certain argument patterns. - Impact is data exposure: local files that should be blocked by MCP policy could become readable in the MCP client application context.
- This is exactly the high-risk boundary in agent tooling: model/tool calls crossing from prompt-driven logic into local filesystem or cloud-control actions.
- NVD reflects the same affected range and remediation version, with CNA vector details supplied by Amazon.
- AWS states there is no workaround; the required mitigation is version upgrade.
Why it matters
MCP servers are quickly becoming default plumbing for agentic workflows. When policy modes like no-access or workdir can be bypassed, the trust boundary between prompt-originated tool requests and local secrets weakens fast. In practical terms, a path-control flaw can turn “read only what’s allowed” into “read what the process can reach,” which is exactly how credentials, config files, or training artifacts leak from agent hosts.
What to do
- Upgrade immediately: move to
awslabs.aws-api-mcp-server1.3.9or newer across all environments. - Hunt for drift: inventory forks and pinned images to ensure no internal variant is still on
<1.3.9. - Constrain runtime permissions: run MCP processes with least-privilege filesystem and IAM permissions to limit blast radius.
- Audit tool-call logs: search for unusual file path arguments and accesses outside expected project directories.
- Treat MCP adapters as supply chain: add regular dependency scanning and emergency patch playbooks for agent-tooling components.