AWS disclosed CVE-2026-4270 in the official AWS API MCP Server, the open-source bridge that lets AI assistants interact with AWS services and infrastructure through the AWS CLI. The vulnerability was found in the server's file access control feature, which is designed to sandbox CLI commands to a working directory (workdir) or block all local file path arguments entirely (no-access).
Both the workdir and no-access access modes contain an improper protection of alternate path flaw — an attacker can supply a crafted path that bypasses the intended restriction and expose arbitrary local file contents to the MCP client application context.
Any AI assistant connected to an affected version of the AWS API MCP Server could have local host files read back into the agent's context window without the operator being aware. In enterprise deployments where the MCP server runs with cloud credentials in scope, this creates a direct path from prompt manipulation to credential or secret exfiltration from the local filesystem.
Immediate recommendation: Upgrade awslabs.aws-api-mcp-server to version 1.3.9 or later. No workaround exists — the only mitigation is patching.