Local File Inclusion in AWS API MCP Server no-access/workdir feature
CVE-2026-4270 is a local file inclusion / arbitrary file read vulnerability in AWS API MCP Server affecting versions >= 0.2.14 and < 1.3.9 on all platforms. The flaw exists in the no-access and workdir file access restriction features, which can be bypassed through an alternate path mechanism exposed by AWS CLI shorthand syntax. Specifically, the aws___call_aws tool could be induced to process parameters using the AWS CLI @= file-loading operator, causing the server to read attacker-referenced files from its own local filesystem. When the referenced file content was parsed in an invalid format, the resulting error message could include the file contents, exposing them back to the MCP client application context. The issue breaks the intended security boundary of FileAccessMode=NO_ACCESS and similar restrictions by allowing access to arbitrary local files on the MCP server host.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
/etc/passwd, configuration files, credentials, secrets, tokens, and other execution-environment details. Because the vulnerability affects the MCP server process context, the attacker gains read access to files reachable by that process, undermining the intended file access restrictions and potentially enabling follow-on compromise using harvested secrets or environment information.Mitigation
If you can’t patch tonight, do this now.
aws___call_aws capability where possible, prevent untrusted prompts or users from supplying arbitrary AWS CLI parameters, and run the server with the least-privileged filesystem access possible so that sensitive files are not readable by the MCP server process. Rotate credentials and secrets accessible to the server if compromise is suspected. These are temporary measures; upgrading to 1.3.9 is the primary fix.Remediation
Patch, then assume compromise.
no-access or workdir restrictions, and review exposed secrets if exploitation is suspected.Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.