Varonis Discovers Local File Inclusion in AWS Remote MCP Server via CLI Shorthand Syntax

Key Takeaways

• An LFI vulnerability (CVE-2026-4270) in the AWS Remote MCP Server allows authenticated users to read arbitrary files from the host OS.
• The vulnerability exploits the AWS CLI shorthand syntax (using the @= operator) to load local files, bypassing the FileAccessMode=NO_ACCESS configuration.
• File contents are unintentionally leaked through error messages when a command with an incorrect file format fails.
• The issue impacts all versions of the aws-api-mcp-server from 0.2.14 up to 1.3.8.
• AWS has patched the vulnerability in aws-api-mcp-server version 1.3.9.

Affected Systems

• AWS Remote MCP Server (aws-api-mcp-server) versions 0.2.14 through 1.3.8

Vulnerabilities (CVEs)

• CVE-2026-4270

Attack Chain

An authenticated user connects to the AWS Remote MCP Server and invokes the aws___call_aws tool. The user supplies a crafted AWS CLI command utilizing the shorthand file-loading syntax (e.g., @=fileb:///etc/passwd). The MCP server attempts to process the command and read the referenced local file from its own filesystem. Due to an intentional formatting failure, the server returns an error message that inadvertently includes the contents of the targeted file, allowing the attacker to read arbitrary files from the host.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, but describes the exploitation mechanism involving the AWS CLI shorthand syntax.

Detection Engineering Assessment

EDR Visibility: Medium — EDR on the MCP server host might capture the AWS CLI process execution with the anomalous @=fileb:// arguments, but the actual file read is performed by the MCP server process itself. Network Visibility: Low — Traffic to the MCP server is likely encrypted (HTTPS/TLS), obscuring the payload unless SSL inspection is in place or API logs are monitored. Detection Difficulty: Moderate — Requires monitoring MCP server application logs or command-line executions for specific shorthand syntax (@=file:// or @=fileb://) which might be mixed with legitimate administrative activity.

Required Log Sources

• Application Logs (MCP Server)
• Process Command Line Logs
• AWS CloudTrail

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for AWS CLI commands or API calls to the MCP server containing the shorthand file-loading syntax (@=file:// or @=fileb://) targeting sensitive system files.	Process Command Line Logs, Application Logs	Credential Access	Low

Control Gaps

• Application-level input validation
• FileAccessMode configuration bypass

Key Behavioral Indicators

• Command lines containing @=fileb:// or @=file://
• MCP server error logs containing file contents or unexpected formatting errors

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Upgrade aws-api-mcp-server to version 1.3.9 or later.

Infrastructure Hardening

• Ensure any forked or derivative code of the MCP server is patched to incorporate the new fixes.
• Review IAM permissions and roles assigned to the MCP server to enforce least privilege.

User Protection

• Monitor for unauthorized access to the MCP server.

Security Awareness

• Educate developers on the risks of exposing powerful CLI abstractions and implicit features like file loading in remote execution services.

MITRE ATT&CK Mapping

• T1083 - File and Directory Discovery
• T1552.001 - Unsecured Credentials: Credentials In Files
• T1190 - Exploit Public-Facing Application

Additional IOCs

• File Paths:
  • /etc/passwd - Example sensitive system file targeted during the LFI proof-of-concept.
• Command Lines:
  • Purpose: Exploit LFI vulnerability to read local files via AWS CLI shorthand syntax | Tools: aws, aws___call_aws | Stage: Execution/Credential Access | aws ec2 create-tags --resources <instance_id> --tags Key="yay",Value@=fileb://