CyberRota
← Ana sayfaya dön

CVE-2026-15643

HIGH · CVSS 7.3

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-14T21:16:41.293 · Çekilme zamanı: 2026-07-15T00:09:07.409481+00:00

CyberRota Yorumu

Saldırganın giriş yapmış olması gerekebilir. Uzaktan istismar edilebilir olabilir.

CVE
CVE-2026-15643
Severity
HIGH
CVSS
7.3
EPSS
Yok

Orijinal NVD Açıklaması

AWS HealthLake MCP Server (awslabs.healthlake-mcp-server) is a Model Context Protocol server that enables AI assistants to interact with AWS HealthLake FHIR datastores. A server-side request forgery in the pagination handling component in AWS awslabs.healthlake-mcp-server before 0.0.14 on all platforms might allow a remote authenticated user to exfiltrate AWS temporary security credentials to an arbitrary endpoint via a crafted next_token parameter. The server does not validate that pagination URLs point back to the expected HealthLake endpoint, allowing an actor to redirect subsequent requests to an actor-controlled server. Its recommended to upgrade to version 0.0.14 or later.