Varonis Threat Labs identified a Local File Inclusion (LFI) vulnerability (CVE-2026-4270) in the AWS Remote MCP Server that allows authenticated users to read arbitrary files. By exploiting the AWS CLI shorthand file-loading syntax via the aws___call_aws tool, attackers can bypass access restrictions and extract sensitive file contents through error messages.