{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5058", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-03-27T18:09:58.198Z", "datePublished": "2026-04-11T00:14:52.192Z", "dateUpdated": "2026-04-13T17:32:02.375Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:14:52.192Z"}, "title": "aws-mcp-server Command Injection Remote Code Execution Vulnerability", "descriptions": [{"lang": "en", "value": "aws-mcp-server Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27968."}], "affected": [{"vendor": "aws-mcp-server", "product": "aws-mcp-server", "versions": [{"version": "1.3.0", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-246/", "name": "ZDI-26-246", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-27T18:09:58.221Z", "datePublic": "2026-03-30T18:02:15.538Z", "source": {"lang": "en", "value": "Alfredo Oliveira and David Fiser of Trend Research"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T17:31:54.224880Z", "id": "CVE-2026-5058", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:32:02.375Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5058", "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "state": "PUBLISHED", "assignerShortName": "zdi", "dateReserved": "2026-03-27T18:09:58.198Z", "datePublished": "2026-04-11T00:14:52.192Z", "dateUpdated": "2026-04-13T17:32:02.375Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "99f1926a-a320-47d8-bbb5-42feb611262e", "shortName": "zdi", "dateUpdated": "2026-04-11T00:14:52.192Z"}, "title": "aws-mcp-server Command Injection Remote Code Execution Vulnerability", "descriptions": [{"lang": "en", "value": "aws-mcp-server Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27968."}], "affected": [{"vendor": "aws-mcp-server", "product": "aws-mcp-server", "versions": [{"version": "1.3.0", "status": "affected"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-26-246/", "name": "ZDI-26-246", "tags": ["x_research-advisory"]}], "dateAssigned": "2026-03-27T18:09:58.221Z", "datePublic": "2026-03-30T18:02:15.538Z", "source": {"lang": "en", "value": "Alfredo Oliveira and David Fiser of Trend Research"}, "metrics": [{"format": "CVSS", "cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5058", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-13T17:31:54.224880Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:31:58.717Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "aws-mcp-server Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of the allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27968."}], "id": "CVE-2026-5058", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "zdi-disclosures@trendmicro.com", "type": "Secondary"}]}, "published": "2026-04-11T01:16:18.157", "references": [{"source": "zdi-disclosures@trendmicro.com", "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-246/"}], "sourceIdentifier": "zdi-disclosures@trendmicro.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "zdi-disclosures@trendmicro.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.3.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "aws-mcp-server", "source": "cna", "vendor": "aws-mcp-server"}, "product": "aws-mcp-server", "vendor": "aws"}], "analysis": {"en": {"generated_at": "2026-04-11T02:52:52.993414+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011issued patch or upgrade to the latest version of AWS MCP Server as soon as it becomes available.", "Until a patch is available, restrict access to the MCP Server endpoints by firewall rules or network segmentation to block unauthenticated traffic.", "If possible, disable the command\u2011execution feature or enforce strict input validation on any parameters that are passed to system calls.", "Monitor system logs for unexpected command executions and investigate suspicious activity promptly.", "Keep the service updated by regularly checking the vendor\u2019s security advisories or the official AWS MCP Server release notes."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is AWS MCP Server. The advisory does not list any specific version range, so the flaw may affect all existing installations of the service until a vendor\u2011issued update is released. Administrators should review their installed versions against vendor documentation.", "description_and_impact": "The aws-mcp-server service has a command injection flaw that allows an unauthenticated attacker to supply an unvalidated command string which is executed directly by the server. This vulnerability corresponds to CWE\u201178 (OS Command Injection) and can lead to arbitrary code execution with the privileges of the MCP server process, potentially compromising the entire environment. The public advisory reports the flaw as critical with a CVSS score of 9.8.", "risk_and_exploitability": "The risk is high because no authentication is required and the flaw can be triggered from a network\u2011facing interface. The exact attack vector is not detailed in the advisory, so we infer that it involves a vulnerable endpoint that receives command strings. The EPSS score is not available, and the vulnerability is not in the KEV catalog, but the CVSS score of 9.8 indicates a critical severity. The potential impact includes full compromise of the server and the systems it manages."}}}}, "created": "2026-04-13T12:42:18.197390+00:00", "updated": "2026-04-13T12:57:04.491603+00:00", "vendors": ["aws", "aws$PRODUCT$aws-mcp-server"]}