CVE-2026-15643
Gravedad CVSS v4.0:
CRÍTICA
Tipo:
CWE-918
Falsificación de solicitud en servidor (SSRF)
Fecha de publicación:
14/07/2026
Última modificación:
14/07/2026
Descripción
*** Pendiente de traducción *** AWS HealthLake MCP Server (awslabs.healthlake-mcp-server) is a Model Context Protocol server that enables AI assistants to interact with AWS HealthLake FHIR datastores. A server-side request forgery in the pagination handling component in AWS awslabs.healthlake-mcp-server before 0.0.14 on all platforms might allow a remote authenticated user to exfiltrate AWS temporary security credentials to an arbitrary endpoint via a crafted next_token parameter. The server does not validate that pagination URLs point back to the expected HealthLake endpoint, allowing an actor to redirect subsequent requests to an actor-controlled server.<br />
<br />
<br />
<br />
Its recommended to upgrade to version 0.0.14 or later.
Impacto
Puntuación base 4.0
9.20
Gravedad 4.0
CRÍTICA
Puntuación base 3.x
7.30
Gravedad 3.x
ALTA



