PYSEC-2026-162

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/awslabs-aws-api-mcp-server/PYSEC-2026-162.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2026-162

Aliases

CVE-2026-4270
GHSA-2cpp-j2fc-qhp7

Published

2026-03-16T17:16:32.270Z

Modified

2026-05-22T18:26:09.906652278Z

Severity

6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context.

To remediate this issue, users should upgrade to version 1.3.9.

References

Affected packages

PyPI / awslabs-aws-api-mcp-server

Package

Name: awslabs-aws-api-mcp-server; View open source insights on deps.dev
Purl: pkg:pypi/awslabs-aws-api-mcp-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.2.14

Fixed

1.3.9

Affected versions

0.*

0.2.14

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

1.*

1.0.0

1.0.1

1.0.2

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.2.0

1.2.1

1.2.2

1.2.3

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

Database specific

source

"https://github.com/pypa/advisory-database/blob/main/vulns/awslabs-aws-api-mcp-server/PYSEC-2026-162.yaml"