CVE-2026-5058 - aws-mcp-server command injection RCE

Zero Day Initiative disclosed a critical command injection issue in aws-mcp-server, tracked as CVE-2026-5058 and ZDI-26-246. The flaw is in allowed-command handling before a system call. ZDI and NVD describe the issue as unauthenticated remote code execution in the context of the MCP server.

This is worse than a normal CLI-wrapper bug because aws-mcp-server bridges an AI client to the AWS CLI. A successful exploit can combine host command execution with whatever AWS credentials, credential files, region config, network access, mounted directories, and IAM permissions the MCP runtime can reach.

Public source state matters. ZDI records that the vendor rejected the report and says the only salient mitigation is restricting interaction with the product. NVD was still awaiting enrichment when checked on 2026-06-09. PyPI and GitHub showed 1.7.0 as the latest public release, published before the March 30, 2026 ZDI advisory. Treat every reachable aws-mcp-server deployment as unfixed unless the repository can prove a maintained patched fork or upstream release that removes shell interpretation from all allowed-command paths.

When to use it

Use this recipe when a repository, agent runtime, MCP gateway, or cloud automation workbench installs aws-mcp-server or exposes AWS CLI-backed tools. It supports source-code remediation, MCP command-injection review, AWS credential containment, and audit evidence that allowed-command handling cannot be turned into host command execution.

Inputs

  • aws-mcp-server version, MCP config, enabled AWS tools, auth/bind settings, deployment manifest, and allowed-command policy.
  • Source paths that parse tool arguments, build AWS CLI commands, call subprocess APIs, validate commands, or serialize command output/errors.
  • Regression fixtures for metacharacters, option injection, command allow-list decisions, invalid AWS operations, and expected reject/allow behavior.
  • Runtime boundary evidence: AWS credentials, config files, IAM role/session policy, filesystem reach, network egress, logs, and who can reach the server.

Affected versions

  • Vulnerable product: aws-mcp-server / aws-mcp
  • Known public advisory state: no fixed version listed by NVD or ZDI as of 2026-06-09
  • Latest public package observed: PyPI aws-mcp 1.7.0, released 2026-02-27, before public disclosure
  • Affected code shape: MCP tool input, allowed-command configuration, or pipe handling can place user-controlled text into a shell/system call
  • Fixed code shape: all command dispatch uses parsed argv arrays, enumerated command/tool allow-lists, strict option schemas, and no shell interpreter for user-controlled command strings
  • Affected surface: aws_cli_pipeline, HTTP or streamable MCP transports, desktop MCP config, hosted MCP gateways, containerized MCP deployments, CI/devcontainer helpers, and internal automation that exposes the server to untrusted or semi-trusted clients

Indicator-of-exposure

  • The repository installs, deploys, vendors, forks, builds, mirrors, or documents aws-mcp-server, aws-mcp, alexei-led/aws-mcp-server, alexei-led/cloud-mcp-server, or ghcr.io/alexei-led/aws-mcp-server.
  • MCP settings launch uvx aws-mcp, pip install aws-mcp, python -m aws_mcp_server, or the ghcr.io/alexei-led/aws-mcp-server container.
  • AWS_MCP_TRANSPORT is set to streamable-http, sse, or another transport reachable beyond a single trusted local user.
  • The MCP process receives real AWS credentials through environment variables, mounted ~/.aws files, EC2/ECS/Lambda instance metadata, CI secrets, SSO caches, or delegated roles.
  • The runtime enables pipe support or configurable allowed commands for utilities such as jq, grep, awk, sed, cut, head, tail, sort, or wc.
  • Application code, tests, policy files, YAML config, prompts, or docs contain allowed_commands, aws_cli_pipeline, subprocess.*shell, shell=True, create_subprocess_shell, os.system, or sh -c around MCP tool input.
  • The server runs with writable mounts, broad egress, host network access, cloud metadata access, persistent workspaces, or IAM permissions that exceed the intended assistant task.

Quick checks:

rg -n "aws-mcp-server|aws-mcp|aws_mcp_server|alexei-led/(aws|cloud)-mcp-server|ghcr.io/alexei-led/aws-mcp-server|aws_cli_pipeline|AWS_MCP_TRANSPORT|AWS_MCP_SANDBOX|allowed[_-]?commands|create_subprocess_shell|subprocess\\..*shell|shell=True|os\\.system|sh -c" .
rg -n "AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|AWS_SESSION_TOKEN|AWS_PROFILE|AWS_SHARED_CREDENTIALS_FILE|AWS_CONFIG_FILE|\\.aws|instance metadata|169\\.254\\.169\\.254|iam:PassRole|AdministratorAccess" .

Windows:

rg -n "aws-mcp-server|aws-mcp|aws_mcp_server|alexei-led/(aws|cloud)-mcp-server|ghcr.io/alexei-led/aws-mcp-server|aws_cli_pipeline|AWS_MCP_TRANSPORT|AWS_MCP_SANDBOX|allowed[_-]?commands|create_subprocess_shell|subprocess\..*shell|shell=True|os\.system|sh -c" .
rg -n "AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|AWS_SESSION_TOKEN|AWS_PROFILE|AWS_SHARED_CREDENTIALS_FILE|AWS_CONFIG_FILE|\.aws|instance metadata|169\.254\.169\.254|iam:PassRole|AdministratorAccess" .

Do not validate exposure by sending shell metacharacters, command-substitution payloads, pipe breakout strings, or destructive AWS commands to a live MCP server.

Remediation strategy

  • Remove aws-mcp-server from any network-reachable or multi-user MCP surface until a fixed release or reviewed fork is deployed. Prefer stdio-only, single-user local execution for unavoidable temporary use.
  • If this repository owns a fork or wrapper, replace every shell execution path with argv-based execution such as subprocess.run([...], shell=False) or asyncio.create_subprocess_exec(...). Do not pass user-controlled command strings to sh, bash, cmd, PowerShell, or create_subprocess_shell.
  • Replace free-form allowed-command strings with structured schemas: explicit AWS service/action enums, option allow-lists, value validators, max-output limits, timeout caps, and a small fixed set of pipe utilities with argv parsing.
  • Disable or remove pipeline support until it has parser-backed validation. If pipe support must remain, allow only a fixed sequence of known tools and arguments; reject redirection, command substitution, subshells, here-docs, environment assignment, glob expansion, and path separators in tool names.
  • Run the MCP server with least-privilege AWS credentials dedicated to the assistant task. Remove root credentials, administrator policies, wildcard iam:PassRole, write permissions that are not needed, and broad read access to secrets, logs, snapshots, or object storage.
  • Harden containment: Docker or OS sandbox required, read-only root filesystem, dropped Linux capabilities, no host network, no privileged containers, no Docker socket, no broad workspace mounts, no cloud metadata access unless explicitly required, and outbound egress limited to AWS APIs needed by the role.
  • Rotate AWS credentials, session tokens, SSO tokens, and delegated roles if a reachable MCP server may have been exposed before remediation.
  • Add non-exploit tests that prove shell metacharacters are rejected at the parser boundary and never reach command execution. Mock subprocess calls and assert argv arrays, not shell strings.

The prompt

You are remediating CVE-2026-5058 / ZDI-26-246, a critical command injection
RCE in aws-mcp-server allowed-command handling. Produce exactly one output:

- A reviewer-ready PR/change request that removes unsafe aws-mcp-server
  exposure, upgrades to a proven fixed release or patches owned wrappers/forks,
  replaces shell command construction with structured argv validation, hardens
  AWS credentials and runtime containment, adds safe regression tests, and
  documents operator rotation/audit actions, or
- TRIAGE.md if this repository does not control an affected aws-mcp-server
  runtime, wrapper, MCP config, deployment artifact, fork, credential path, or
  safe mitigation.

## Rules

- Scope only CVE-2026-5058 / ZDI-26-246 and directly related aws-mcp-server,
  MCP transport, command-dispatch, AWS credential, runtime containment, and
  audit controls.
- Treat AWS access keys, session tokens, SSO caches, credential files, config
  files, account IDs, role ARNs, command output, CloudTrail records, MCP
  transcripts, tool logs, prompts, environment variables, mounted files, and
  generated evidence as sensitive.
- Do not send exploit payloads, shell metacharacter probes, command
  substitution, pipe breakout strings, or destructive AWS commands to a live
  MCP server.
- Do not broaden IAM permissions, disable sandboxing, mount the Docker socket,
  expose the server publicly, remove audit logs, or weaken MCP approval gates
  to silence the finding.
- Do not auto-merge.

## Steps

1. Inventory every controlled reference to `aws-mcp-server`, `aws-mcp`,
   `aws_mcp_server`, `alexei-led/aws-mcp-server`,
   `alexei-led/cloud-mcp-server`, `ghcr.io/alexei-led/aws-mcp-server`,
   `aws_cli_pipeline`, and `AWS_MCP_TRANSPORT` in source, MCP configs,
   Dockerfiles, Compose files, Helm/Kubernetes manifests, Terraform, CI,
   devcontainers, docs, generated manifests, SBOMs, lockfiles, and examples.
2. Determine whether the repository controls source/fork code, only deployment
   artifacts, only desktop MCP config, or only documentation. Name the runtime
   owner for anything external.
3. Resolve package, image, tag, digest, and commit versions. Because public
   advisory sources list no fixed version as of 2026-06-09 and PyPI `1.7.0`
   predates disclosure, treat version strings as insufficient without proving
   the fixed code shape.
4. Identify every transport and trust boundary: stdio local single user,
   streamable HTTP, SSE, hosted MCP gateway, browser agent, CI service, shared
   developer machine, tunnel, reverse proxy, remote container, or marketplace
   connector.
5. Identify credential paths available to the MCP runtime: env vars, mounted
   `~/.aws`, SSO cache, config profiles, CI secrets, OIDC roles, EC2/ECS/Lambda
   metadata, Kubernetes projected tokens, and delegated role chains.
6. Search owned source and wrappers for unsafe command construction:
   `create_subprocess_shell`, `subprocess.*shell`, `shell=True`, `os.system`,
   `popen`, `sh -c`, `bash -c`, `cmd /c`, `powershell -Command`, string-built
   allowed-command lists, and free-form pipe execution.
7. If this repository does not control an affected runtime or safe mitigation,
   stop with `TRIAGE.md` listing checked files, owner, observed versions, trust
   boundary, credential exposure, and required action: restrict interaction
   until a fixed release or reviewed fork is deployed.
8. For deployment-only ownership, remove network exposure immediately:
   disable streamable HTTP/SSE, bind to localhost, remove ingress/tunnels,
   require single-user stdio, or disable the MCP server until patched.
9. For source/fork/wrapper ownership, implement the fixed code shape:
   - parse MCP input into structured command objects;
   - allow only explicit AWS service/action names and approved options;
   - pass argv lists to `create_subprocess_exec` or equivalent;
   - reject shell metacharacters before execution;
   - remove shell pipelines or validate each pipe stage as structured argv;
   - cap timeout and output size;
   - redact secrets in logs and errors.
10. Replace generic "allowed commands" strings with schemas and tests. The
    allowed list must be data, not shell syntax.
11. Harden runtime containment:
    - Docker or OS sandbox required;
    - read-only root filesystem;
    - dropped capabilities;
    - no privileged containers;
    - no Docker socket;
    - no host network unless explicitly justified;
    - no broad workspace mounts;
    - block cloud metadata by default;
    - restrict egress to required AWS APIs.
12. Reduce AWS credential blast radius:
    - use a dedicated role for the assistant;
    - remove root/admin credentials;
    - remove wildcard `iam:PassRole`;
    - constrain write APIs;
    - scope secrets, logs, S3 buckets, snapshots, KMS keys, and account/region
      access to the task.
13. Add safe validation:
    - static checks fail on shell execution of MCP tool input;
    - unit tests assert argv arrays for accepted commands;
    - unit tests reject command substitution, redirection, subshells, here-docs,
      environment assignment, path traversal in tool names, and unapproved pipe
      stages;
    - deployment tests prove non-stdio transports are disabled or protected;
    - policy tests prove credentials are least-privilege for the use case.
14. Add operator actions:
    - identify where the MCP server was reachable;
    - review MCP access logs, client transcripts, process logs, and CloudTrail
      for suspicious commands without committing secrets;
    - rotate AWS credentials/tokens/roles if exposure existed;
    - revoke active sessions and invalidate leaked local credential files where
      appropriate.
15. Add a PR body section named `CVE-2026-5058 operator actions` that states:
    - observed package/image/commit versions and whether a fixed release exists;
    - transport before and after;
    - credential paths before and after;
    - code paths changed from shell strings to argv validation;
    - runtime containment controls;
    - AWS IAM reductions;
    - audit/rotation decisions;
    - validation commands passed.
16. Run available validation: unit tests, static command-execution checks,
    dependency/security scans, container render/build, policy tests, SBOM
    refresh, MCP config lint, and non-secret smoke tests that do not execute
    exploit-like payloads.
17. Use PR title:
    `fix(sec): contain aws-mcp-server command injection`.

## Stop conditions

- No aws-mcp-server runtime, fork, wrapper, MCP config, image, deployment,
  credential path, or operator doc is controlled by this repository.
- The only running server is owned by another team or vendor; document owner,
  trust boundary, credential exposure, and required containment in `TRIAGE.md`.
- A fixed upstream release does not exist and the repository cannot carry a
  reviewed fork or disable/restrict the service.
- Verification would require live exploit probes, shell payload execution,
  destructive AWS API calls, credential dumping, token printing, or production
  MCP transcript disclosure.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that removes untrusted MCP exposure, replaces shell execution with validated argv calls, constrains AWS credentials, adds regression tests, and documents key/session cleanup.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, exposed tools, AWS credential boundary, required fix, and residual risk.
  • The output must include exact validation commands and must not run exploit payloads, mutate AWS resources, print secrets, or test against production accounts.

Verification - what the reviewer looks for

  • The PR does not rely on a scanner version range alone. It proves a fixed code shape or removes the reachable MCP service.
  • User-controlled MCP input is never passed through a shell interpreter.
  • Allowed commands are represented as structured data with schema validation, not as shell snippets.
  • Pipe support is disabled or each stage is parsed and allow-listed as argv.
  • HTTP/SSE/hosted transports are removed, bound to trusted local interfaces, or protected by an explicit MCP access boundary.
  • AWS credentials available to the MCP process are least-privilege, dedicated, and rotated if prior exposure is plausible.
  • Runtime containment blocks host escape paths, metadata access, sensitive mounts, Docker socket access, and broad egress.
  • Tests are safe: they mock subprocess execution and assert rejection before execution rather than running payloads.

Watch for

  • Upgrading to PyPI 1.7.0 without proving a post-disclosure fix. Public package evidence observed on 2026-06-09 shows 1.7.0 predates the ZDI advisory.
  • Treating “the AI is trusted” as a command-injection mitigation when the MCP server is reachable through HTTP, SSE, a shared gateway, or an auto-run agent.
  • Allowing jq, grep, awk, or sed as raw shell fragments. Pipe tools still need argv parsing and argument validation.
  • Running in Docker while mounting ~/.aws, the workspace, /var/run/docker.sock, or host directories with write access.
  • Redacting AWS keys but leaving account IDs, role ARNs, SSO cache paths, CloudTrail snippets, or command output in PR logs.
  • Blocking command injection but leaving the role with account-wide admin permissions that make any future MCP bug catastrophic.

References