Skip to main content

CVE-2026-15643 - AWS HealthLake MCP Server SSRF via Unvalidated Pagination URL

Bulletin ID: 2026-054-AWS
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 07/14/2026 13:00 PM PDT

Description:

AWS HealthLake MCP Server (awslabs.healthlake-mcp-server) is a Model Context Protocol server that enables AI assistants to interact with AWS HealthLake FHIR datastores. We identified CVE-2026-15643 a server-side request forgery in the pagination handling component in AWS awslabs.healthlake-mcp-server before 0.0.14 on all platforms might allow a remote authenticated user to exfiltrate AWS temporary security credentials to an arbitrary endpoint via a crafted next_token parameter. The server does not validate that pagination URLs point back to the expected HealthLake endpoint, allowing an actor to redirect subsequent requests to an actor-controlled server.

Impacted versions: < 0.0.14

Resolution:

This issue has been addressed in awslabs.healthlake-mcp-server version 0.0.14. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

Workarounds:

In the interim, scope the IAM policy used by the server to least privilege rather than Resource: "*", and do not rely on the --readonly flag as a security boundary — it is an in-process guard over the mutating tools, not an IAM control, so disclosed credentials retain their full granted authority. Operators using role-based (STS) deployments should consider rotating the affected role's credentials if they suspect using an affected version.

References:

Acknowledgement:

We would like to thank Marios Gyftos for collaborating on this issue through the coordinated vulnerability disclosure process.


Please email aws-security@amazon.com with any security questions or concerns.