Cyber Resilience

CVE-2026-5059

CriticalRCE

Published: 11 April 2026

Published
11 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0191 77.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-5059 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zerodayinitiative (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-5059 is a command injection vulnerability in aws-mcp-server that permits remote code execution. The flaw resides in the handling of the allowed commands list, where insufficient validation of a user-supplied string occurs before it is used in a system call, enabling an attacker to execute arbitrary commands in the context of the MCP server. The issue affects installations of aws-mcp-server and carries a CVSS 3.0 base score of 9.8 with CWE-78 classification.

Unauthenticated remote attackers can exploit the vulnerability over the network without any user interaction or credentials. Successful exploitation grants full control over the affected server process, allowing arbitrary code execution that can lead to complete compromise of confidentiality, integrity, and availability.

The Zero Day Initiative advisory ZDI-26-245 provides further details on the issue at the referenced URL. The EPSS score remains low, with a current value of 0.0121 and a peak of 0.0171.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the…

more

allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27969.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated remote command injection in a server component directly enables T1190 (public-facing app exploitation) and T1059.004 (Unix shell command execution) for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30861Shared CWE-78
CVE-2026-40111Shared CWE-78
CVE-2026-25130Shared CWE-78
CVE-2026-33718Shared CWE-78
CVE-2026-40088Shared CWE-78
CVE-2026-42076Shared CWE-78
CVE-2018-25115Shared CWE-78
CVE-2026-7446Shared CWE-78
CVE-2025-24382Shared CWE-78
CVE-2026-29058Shared CWE-78

Affected Assets

Zerodayinitiative
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied strings before they are used in system calls, eliminating the command-injection flaw in the allowed-commands handler.

prevent

Limits the privileges of the MCP server process so that even a successful injection yields only minimal system impact.

prevent

Restricts the set of permitted commands and system functions, reducing the attack surface that the flawed allowed-commands list exposes.

References