PyPI: awslabs-aws-api-mcp-server
CVE-2026-4270
Safety vulnerability ID: SFTY-20260317-55129
Safety legacy ID: pyup.io-89625
Affected versions of the File Browser package are vulnerable to Broken Authentication due to JWT tokens remaining valid after logout. The /api/login endpoint issues long-lived JWTs, and the authentication logic in http/auth.go only checks token expiry and d.store.Users.LastUpdate(tk.User.ID) without implementing server-side session tracking, token revocation, or a logout blacklist.
Overview
AWS API MCP File Access Restriction Bypass
Advisory
Affected versions of the File Browser package are vulnerable to Broken Authentication due to JWT tokens remaining valid after logout. The /api/login endpoint issues long-lived JWTs, and the authentication logic in http/auth.go only checks token expiry and d.store.Users.LastUpdate(tk.User.ID) without implementing server-side session tracking, token revocation, or a logout blacklist.
Affected Package
Also affects
---
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260317-55129/CVE-2026-4270
- https://github.com/advisories/GHSA-2cpp-j2fc-qhp7
- https://pypi.org/project/awslabs.aws-api-mcp-server
- https://github.com/awslabs/mcp/security/advisories/GHSA-2cpp-j2fc-qhp7
- https://nvd.nist.gov/vuln/detail/CVE-2026-4270
- https://aws.amazon.com/security/security-bulletins/2026-007-AWS
- https://pypi.org/project/awslabs.aws-api-mcp-server/1.3.9
- https://github.com/advisories/GHSA-2cpp-j2fc-qhp7
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more