Skip to main content

CVE-2026-15415 - Path traversal and arbitrary file write in the workflow linters of aws-healthomics-mcp-server

Bulletin ID: 2026-060-AWS
Scope: AWS
Content Type: Important (requires attention) / Informational
Publication Date: 07/17/2026 12:30 PM PDT

Description:

AWS HealthOmics is a HIPAA-eligible service that fully manages the compute, storage, and workflow engine infrastructure required to run bioinformatics analyses at scale for clinical diagnostics, drug discovery, and agricultural research. We identified CVE-2026-15415, where improper limitation of a pathname to a restricted directory in the linting tools of the AWS HealthOmics MCP Server (aws-healthomics-mcp-server) before version 0.0.36 might allow an actor who can influence the MCP agent to write an actor-controlled content to arbitrary locations outside the intended workflow bundle directory, via directory traversal sequences in the workflow_files input.

Impacted versions: aws-healthomics-mcp-server <= 0.0.35

Resolution:

This issue has been addressed in aws-healthomics-mcp-server version 0.0.36. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds:

No workarounds are available.

References:


Please email aws-security@amazon.com with any security questions or concerns.