CVE-2026-5059
Published: 11 April 2026
Summary
CVE-2026-5059 is a critical-severity OS Command Injection (CWE-78) vulnerability in Zerodayinitiative (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-5059 is a command injection vulnerability in aws-mcp-server that permits remote code execution. The flaw resides in the handling of the allowed commands list, where insufficient validation of a user-supplied string occurs before it is used in a system call, enabling an attacker to execute arbitrary commands in the context of the MCP server. The issue affects installations of aws-mcp-server and carries a CVSS 3.0 base score of 9.8 with CWE-78 classification.
Unauthenticated remote attackers can exploit the vulnerability over the network without any user interaction or credentials. Successful exploitation grants full control over the affected server process, allowing arbitrary code execution that can lead to complete compromise of confidentiality, integrity, and availability.
The Zero Day Initiative advisory ZDI-26-245 provides further details on the issue at the referenced URL. The EPSS score remains low, with a current value of 0.0121 and a peak of 0.0171.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21656
Vulnerability details
aws-mcp-server AWS CLI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of aws-mcp-server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the…
more
allowed commands list. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the MCP server. Was ZDI-CAN-27969.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote command injection in a server component directly enables T1190 (public-facing app exploitation) and T1059.004 (Unix shell command execution) for arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user-supplied strings before they are used in system calls, eliminating the command-injection flaw in the allowed-commands handler.
Limits the privileges of the MCP server process so that even a successful injection yields only minimal system impact.
Restricts the set of permitted commands and system functions, reducing the attack surface that the flawed allowed-commands list exposes.