Command Injection Vulnerability in AWS MCP Server
CVE-2026-5058

9.8CRITICAL

Key Information:

Vendor: Aws-mcp-server
Status: Aws-mcp-server
Vendor: CVE Published:; 11 April 2026

🔔 Create Aws-mcp-server Vulnerability Alert

What is CVE-2026-5058?

The AWS MCP server contains a command injection vulnerability that enables remote attackers to execute arbitrary code on the server without requiring authentication. This flaw is due to insufficient validation of user-supplied strings used in system calls. Exploiting this vulnerability allows an attacker to run code in the context of the MCP server, potentially compromising the system's integrity and security.

Affected Version(s)

aws-mcp-server 1.3.0

References

https://www.zerodayinitiative.com/advisories/ZDI-26-246/

x_research-advisory

CVSS V3.0

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-5058 Data

JSON