PT-2026-58721 · Aws · Awslabs.Healthlake-Mcp-Server

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-15643

CVSS v3.1

7.3

High

VectorAV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
AWS HealthLake MCP Server (awslabs.healthlake-mcp-server) is a Model Context Protocol server that enables AI assistants to interact with AWS HealthLake FHIR datastores. A server-side request forgery in the pagination handling component in AWS awslabs.healthlake-mcp-server before 0.0.14 on all platforms might allow a remote authenticated user to exfiltrate AWS temporary security credentials to an arbitrary endpoint via a crafted next token parameter. The server does not validate that pagination URLs point back to the expected HealthLake endpoint, allowing an actor to redirect subsequent requests to an actor-controlled server.
Its recommended to upgrade to version 0.0.14 or later.

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15643

Affected Products

Awslabs.Healthlake-Mcp-Server