PT-2026-60846 · Aws · Aws-Healthomics-Mcp-Server

CVE-2026-15415

·

Published

2026-07-17

·

Updated

2026-07-17

CVSS v3.1

5.5

Medium

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
AWS HealthOmics is a HIPAA-eligible service that fully manages the compute, storage, and workflow engine infrastructure required to run bioinformatics analyses at scale for clinical diagnostics, drug discovery, and agricultural research.
Improper limitation of a pathname to a restricted directory in the linting tools of the AWS HealthOmics MCP Server (aws-healthomics-mcp-server) before version 0.0.36 might allow an actor who can influence the MCP agent to write an actor-controlled content to arbitrary locations outside the intended workflow bundle directory, via directory traversal sequences in the workflow files input.
To remediate this issue, users should upgrade to version 0.0.36 or later.

Fix

Relative Path Traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15415

Affected Products

Aws-Healthomics-Mcp-Server