al-ice.ai

aws-mcp-server — Command Injection RCE (CVE-2026-5058, ZDI-26-246)

Security / AI CVEs by al-ice.ai Editorial

aws-mcp-server — Command Injection RCE (CVE-2026-5058, ZDI-26-246)

AI relevance: The aws-mcp-server is a critical MCP (Model Context Protocol) server that lets AI agents invoke AWS CLI commands — a pre-auth command injection here gives attackers direct code execution on infrastructure that agents use to manage cloud resources.

  • CVE-2026-5058 (ZDI-26-246) is a command injection vulnerability in aws-mcp-server with CVSS 9.8 (Critical)
  • The flaw exists in the handling of the allowed commands list — user-supplied strings are passed to system calls without proper validation
  • No authentication is required to exploit this vulnerability (pre-auth RCE)
  • Successful exploitation allows arbitrary code execution in the context of the MCP server process
  • aws-mcp-server is a widely-used bridge connecting AI agents to AWS services — compromise gives attackers access to cloud infrastructure through agent tool chains
  • The vulnerability was reported through ZDI's bug bounty program, indicating independent discovery
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command

Why It Matters

MCP servers are the connective tissue between AI agents and external tools. A pre-auth RCE in an AWS-facing MCP server is particularly dangerous because agents running this server likely have cloud credentials attached — meaning command injection could escalate to full AWS account compromise. This follows a pattern: CVE-2026-5059 (also in aws-mcp-server) was disclosed alongside it, suggesting multiple injection vectors in the same codebase.

What To Do

  • Audit aws-mcp-server deployments — check if you're running an affected version and restrict network access immediately
  • Never expose MCP servers to untrusted networks — this vulnerability proves why authentication and network isolation are mandatory
  • Apply principle of least privilege — AWS credentials used by MCP servers should be scoped to only the specific actions the agent actually needs
  • Monitor MCP server logs — look for unexpected command patterns or tool invocations that deviate from normal agent behavior
  • Check for CVE-2026-5059 — a related AWS CLI command injection RCE (CVSS 9.8) was disclosed in the same server

Sources: