AI Developer Tool Vulnerabilities in Cursor IDE and AWS MCP Components
Multiple disclosures highlighted security weaknesses in AI development tooling and Model Context Protocol (MCP) ecosystems, including a Proofpoint-reported Cursor IDE deeplink abuse technique and AWS advisories for flaws in MCP-related components. Proofpoint described "CursorJack" as a social-engineering-driven abuse of the cursor:// protocol handler that, in tested configurations, could let an attacker trigger arbitrary command execution or install a malicious remote MCP server after a user click and prompt acceptance. The report emphasized that developers are high-value targets because their workstations often hold credentials and privileged access, and noted the default UI did not clearly distinguish malicious MCP install deeplinks from legitimate ones.
AWS separately disclosed two distinct vulnerabilities affecting its AI and MCP tooling rather than the same Cursor issue. CVE-2026-4270 affects the AWS API MCP Server in versions >= 0.2.14 and < 1.3.9, where alternate-path handling could bypass intended file access restrictions and expose arbitrary local file contents in the MCP client context; AWS fixed the issue in version 1.3.9 and credited Varonis Threat Labs. CVE-2026-4269 affects the Bedrock AgentCore Starter Toolkit before v0.1.13, where missing S3 ownership verification could allow remote code injection during the build process and lead to code execution in the AgentCore Runtime. The material is not fluff because it contains substantive vulnerability disclosures with affected versions, impact, and remediation guidance, but the references do not all describe the same specific incident.
Timeline
Mar 30, 2026
ZDI discloses CVE-2026-5058 command injection in aws-mcp-server
Zero Day Initiative publicly disclosed ZDI-26-246 / CVE-2026-5058, a critical command injection vulnerability in aws-mcp-server that can allow unauthenticated remote attackers to execute arbitrary code via improper validation of a user-supplied string in the allowed commands list before it is used in a system call. ZDI said it had reported the issue to the vendor in September 2025, but after follow-ups and a vendor rejection, it published the issue as a 0-day advisory.
Mar 30, 2026
ZDI discloses CVE-2026-5059 command injection in aws-mcp-server
Zero Day Initiative publicly disclosed ZDI-26-245 / CVE-2026-5059, a critical command injection vulnerability in aws-mcp-server that can let unauthenticated remote attackers execute arbitrary code via improper validation of the allowed commands list before a system call. ZDI said it had reported the issue to the vendor in September 2025, but after follow-ups and a vendor rejection in December 2025, it proceeded with 0-day disclosure.
Mar 25, 2026
Varonis discloses LFI in AWS Remote MCP Server tied to CVE-2026-4270
Varonis Threat Labs disclosed that the AWS Remote MCP Server was vulnerable to local file inclusion through AWS CLI shorthand syntax, allowing authenticated users to read arbitrary files via the aws___call_aws tool even when FileAccessMode=NO_ACCESS was set. The researchers reproduced the issue against AWS's public endpoint, and AWS fixed it in aws-api-mcp-server version 1.3.9 while recommending users upgrade and patch forks.
Mar 16, 2026
Proofpoint discloses CursorJack deeplink abuse technique for Cursor IDE
Proofpoint Threat Research published details on "CursorJack," a proof-of-concept technique that abuses Cursor IDE's cursor:// MCP deeplink installation flow to socially engineer users into approving malicious MCP server installs. In controlled testing, the attack chain could lead to arbitrary command execution or installation of a malicious remote MCP server, but it was not described as a silent or zero-click exploit.
Mar 16, 2026
AWS publishes advisories for CVE-2026-4269 and CVE-2026-4270
AWS released security bulletins for CVE-2026-4269, involving improper S3 ownership verification in the Bedrock AgentCore Starter Toolkit, and CVE-2026-4270, involving an AWS API MCP file access restriction bypass. The references provide no further technical details beyond the advisory topics.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
3 more from sources like aws product advisories and zdi published advisories
Related Stories
Anthropic MCP STDIO Design Flaw Enables RCE Across AI Tooling
Researchers at **OX Security** disclosed a design-level weakness in Anthropic’s **Model Context Protocol (MCP)** that can allow **arbitrary OS command execution** through unsafe `STDIO` transport behavior, creating a broad AI supply-chain risk. The flaw is reported to propagate through Anthropic’s official MCP SDKs into downstream tools and agents, with researchers linking it to at least **10 high- and critical-severity vulnerabilities** across widely used projects. Reported impacts include exposure of sensitive data such as API keys, chat histories, internal databases, and developer workstations, while estimates of exposure range from more than **7,000 publicly accessible servers** to as many as **200,000 servers** potentially at risk. Affected or cited projects include **LangFlow, Flowise, GPT Researcher, Upsonic, Windsurf, Claude Code, Cursor, Gemini-CLI, GitHub Copilot, LiteLLM,** and **LettaAI**. OX Security said it began reporting the issue to Anthropic in late 2025, but Anthropic reportedly treated the behavior as expected and responded by updating security guidance rather than changing the protocol architecture. Researchers described four main abuse paths: direct command injection, hardening bypass, zero-click or near-zero-click prompt injection in AI IDEs and coding assistants, and malicious MCP marketplace submissions that can execute commands on developer machines; they urged organizations to restrict public exposure, sandbox MCP-enabled services, treat external MCP configurations as untrusted, monitor MCP tool use, and install MCP servers only from verified sources.
2 days ago
Model Context Protocol (MCP) Security Risks From Untrusted Tool Servers and Verifiability Gaps
Security researchers warned that the *Model Context Protocol (MCP)*—used to let AI assistants connect to local tools and enterprise SaaS data—creates a significant attack surface when organizations install or authorize MCP “servers” and tool integrations. Praetorian highlighted that **locally hosted MCP servers run with the user’s privileges** and can therefore execute arbitrary commands, access local files, install malware, and exfiltrate data while masquerading as legitimate productivity tooling; it also described **“MCP server chaining,”** where a malicious local MCP server abuses data and actions flowing through a trusted remote integration (e.g., Slack/Google Drive) without needing to compromise the official provider. Separately, Gopher Security emphasized a **trust and auditability gap** in MCP deployments: standard logging for remote tool execution can be incomplete or tampered with, and organizations often cannot prove what code ran or what parameters were used inside a remote “black box” execution environment. The post described “puppet”/interception-style scenarios where an attacker could alter an MCP request (e.g., changing tool-call parameters to trigger data exfiltration or unauthorized actions) while returning plausible “success” responses, and proposed cryptographic approaches (e.g., **zero-knowledge proofs**) to make MCP tool execution verifiable rather than relying on mutable logs.
Today
Attacks Exploiting AI Browser and IDE Integrations via Malicious Servers and Sidebar Spoofing
Security researchers have demonstrated new attack methods targeting AI-powered browsers and integrated development environments (IDEs) by exploiting their integration with external servers and AI sidebars. In one case, a proof-of-concept attack showed that a rogue Model Context Protocol (MCP) server could inject malicious JavaScript into Cursor’s built-in browser, allowing attackers to replace login pages, harvest credentials, and potentially compromise the victim’s workstation by leveraging the IDE’s privileges. The attack leverages the client-server architecture of MCP, which is increasingly used in AI agent workflows, and highlights the risks of using unvetted or custom MCP servers in developer environments. Separately, researchers have revealed an "AI sidebar spoofing" technique that targets AI browsers such as Comet by Perplexity and Atlas by OpenAI. This attack exploits users’ trust in AI-generated instructions by manipulating the AI sidebar interface, potentially leading to credential theft or other malicious outcomes. Both attack vectors underscore the expanding attack surface introduced by AI integrations in browsers and development tools, and the need for heightened scrutiny of third-party server integrations and user interface trust boundaries in AI-powered applications.
1 months ago