Command Injection Vulnerability in AWS MCP Server by Amazon
CVE-2026-5059

9.8CRITICAL

Key Information:

Vendor: Aws-mcp-server
Status: Aws-mcp-server
Vendor: CVE Published:; 11 April 2026

🔔 Create Aws-mcp-server Vulnerability Alert

What is CVE-2026-5059?

A command injection vulnerability exists in the aws-mcp-server, allowing remote attackers to execute arbitrary code due to insufficient validation of user-supplied input before command execution. This flaw enables unauthorized access without the need for authentication, potentially compromising the server's integrity. Security measures should be implemented to patch this vulnerability to protect against potential exploitation.

Affected Version(s)

aws-mcp-server 1.3.0

References

https://www.zerodayinitiative.com/advisories/ZDI-26-245/

x_research-advisory

CVSS V3.0

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-5059 Data

JSON