2026-054-AWS

CVE-2026-15643 - AWS HealthLake MCP Server SSRF via Unvalidated Pagination URL

Published
July 14, 2026
Last Modified

🔗 CVE IDs covered (1)

📋 Description

Bulletin ID: 2026-054-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 07/14/2026 13:00 PM PDT Description: AWS HealthLake MCP Server (awslabs.healthlake-mcp-server) is a Model Context Protocol server that enables AI assistants to interact with AWS HealthLake FHIR datastores. We identified CVE-2026-15643, a server-side request forgery in the pagination handling component in AWS awslabs.healthlake-mcp-server before 0.0.14 on all platforms might allow a remote authenticated user to exfiltrate AWS temporary security credentials to an arbitrary endpoint via a crafted next_token parameter. The server does not validate that pagination URLs point back to the expected HealthLake endpoint, allowing an actor to redirect subsequent requests to an actor-controlled server. Impacted versions:
Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

🔗 References (1)