Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.2%top 84%

CVE-2026-15415: CWE-23 Relative path traversal in AWS aws-healthomics-mcp-server

0
Medium
VulnerabilityCVE-2026-15415cvecve-2026-15415cwe-23
Published: 07/17/2026 (07/17/2026, 19:36:13 UTC)
Source: CVE Database V5
Vendor/Project: AWS
Product: aws-healthomics-mcp-server

Description

AWS HealthOmics is a HIPAA-eligible service that fully manages the compute, storage, and workflow engine infrastructure required to run bioinformatics analyses at scale for clinical diagnostics, drug discovery, and agricultural research. Improper limitation of a pathname to a restricted directory in the linting tools of the AWS HealthOmics MCP Server (aws-healthomics-mcp-server) before version 0.0.36 might allow an actor who can influence the MCP agent to write an actor-controlled content to arbitrary locations outside the intended workflow bundle directory, via directory traversal sequences in the workflow_files input. To remediate this issue, users should upgrade to version 0.0.36 or later.

CVSS v4.0

Score 6.8medium

Attack Vector
Local
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
Passive
Vuln. Confidentiality
None
Vuln. Integrity
High
Vuln. Availability
None
Subsq. Confidentiality
None
Subsq. Integrity
None
Subsq. Availability
None
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected software

Affected versions
<0.0.36

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/18/2026, 11:52:12 UTC

Technical Analysis

AWS HealthOmics MCP Server versions before 0.0.36 contain a CWE-23 relative path traversal vulnerability in its linting tools. This flaw allows an actor with the ability to influence the MCP agent to write arbitrary content to locations outside the designated workflow bundle directory by using directory traversal sequences in the workflow_files input. This could lead to unauthorized file writes on the system running the MCP server. AWS has released version 0.0.36 to remediate this issue.

Potential Impact

The vulnerability allows an attacker with local access or influence over the MCP agent to write files to arbitrary locations outside the intended directory structure. This could potentially lead to unauthorized modification of files or code execution depending on the environment and usage context. The CVSS 4.0 base score is 6.8 (medium severity), reflecting the requirement for local access and user interaction but with high impact on integrity.

Mitigation Recommendations

AWS manages remediation for this cloud-hosted service. Users should upgrade to aws-healthomics-mcp-server version 0.0.36 or later to address this vulnerability. Check the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-060-aws/ for the latest guidance and confirmation of patch availability.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
AMZN
Date Reserved
2026-07-10T14:44:01.436Z
Cvss Version
4.0
State
PUBLISHED
Remediation Level
null
Is Cloud Service
true
Vendor Advisory Urls
[{"url":"https://aws.amazon.com/security/security-bulletins/2026-060-aws/","vendor":"AWS"}]

Threat ID: 6a5b5eae2d1edb114c7fb305

Added to database: 07/18/2026, 11:08:30 UTC

Last enriched: 07/18/2026, 11:52:12 UTC

Last updated: 07/18/2026, 13:34:55 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses