CVE-2026-15415: CWE-23 Relative path traversal in AWS aws-healthomics-mcp-server
AWS HealthOmics is a HIPAA-eligible service that fully manages the compute, storage, and workflow engine infrastructure required to run bioinformatics analyses at scale for clinical diagnostics, drug discovery, and agricultural research. Improper limitation of a pathname to a restricted directory in the linting tools of the AWS HealthOmics MCP Server (aws-healthomics-mcp-server) before version 0.0.36 might allow an actor who can influence the MCP agent to write an actor-controlled content to arbitrary locations outside the intended workflow bundle directory, via directory traversal sequences in the workflow_files input. To remediate this issue, users should upgrade to version 0.0.36 or later.
AI Analysis
Technical Summary
AWS HealthOmics MCP Server versions before 0.0.36 contain a CWE-23 relative path traversal vulnerability in its linting tools. This flaw allows an actor with the ability to influence the MCP agent to write arbitrary content to locations outside the designated workflow bundle directory by using directory traversal sequences in the workflow_files input. This could lead to unauthorized file writes on the system running the MCP server. AWS has released version 0.0.36 to remediate this issue.
Potential Impact
The vulnerability allows an attacker with local access or influence over the MCP agent to write files to arbitrary locations outside the intended directory structure. This could potentially lead to unauthorized modification of files or code execution depending on the environment and usage context. The CVSS 4.0 base score is 6.8 (medium severity), reflecting the requirement for local access and user interaction but with high impact on integrity.
Mitigation Recommendations
AWS manages remediation for this cloud-hosted service. Users should upgrade to aws-healthomics-mcp-server version 0.0.36 or later to address this vulnerability. Check the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-060-aws/ for the latest guidance and confirmation of patch availability.
CVE-2026-15415: CWE-23 Relative path traversal in AWS aws-healthomics-mcp-server
Description
AWS HealthOmics is a HIPAA-eligible service that fully manages the compute, storage, and workflow engine infrastructure required to run bioinformatics analyses at scale for clinical diagnostics, drug discovery, and agricultural research. Improper limitation of a pathname to a restricted directory in the linting tools of the AWS HealthOmics MCP Server (aws-healthomics-mcp-server) before version 0.0.36 might allow an actor who can influence the MCP agent to write an actor-controlled content to arbitrary locations outside the intended workflow bundle directory, via directory traversal sequences in the workflow_files input. To remediate this issue, users should upgrade to version 0.0.36 or later.
CVSS v4.0
Score 6.8medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
AWS HealthOmics MCP Server versions before 0.0.36 contain a CWE-23 relative path traversal vulnerability in its linting tools. This flaw allows an actor with the ability to influence the MCP agent to write arbitrary content to locations outside the designated workflow bundle directory by using directory traversal sequences in the workflow_files input. This could lead to unauthorized file writes on the system running the MCP server. AWS has released version 0.0.36 to remediate this issue.
Potential Impact
The vulnerability allows an attacker with local access or influence over the MCP agent to write files to arbitrary locations outside the intended directory structure. This could potentially lead to unauthorized modification of files or code execution depending on the environment and usage context. The CVSS 4.0 base score is 6.8 (medium severity), reflecting the requirement for local access and user interaction but with high impact on integrity.
Mitigation Recommendations
AWS manages remediation for this cloud-hosted service. Users should upgrade to aws-healthomics-mcp-server version 0.0.36 or later to address this vulnerability. Check the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-060-aws/ for the latest guidance and confirmation of patch availability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- AMZN
- Date Reserved
- 2026-07-10T14:44:01.436Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
- Vendor Advisory Urls
- [{"url":"https://aws.amazon.com/security/security-bulletins/2026-060-aws/","vendor":"AWS"}]
Threat ID: 6a5b5eae2d1edb114c7fb305
Added to database: 07/18/2026, 11:08:30 UTC
Last enriched: 07/18/2026, 11:52:12 UTC
Last updated: 07/18/2026, 13:34:55 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.