🟠 High | Source: AWS Security Bulletins
A path traversal vulnerability (CVE-2026-15415) in the AWS HealthOmics MCP Server allows an attacker who can influence the MCP agent to write arbitrary content outside the intended workflow bundle directory. The flaw exists in the linting tools of versions 0.0.35 and earlier. This is particularly concerning given HealthOmics is used in HIPAA-regulated clinical and research environments where file system integrity is critical.
Security Architect’s Take: Upgrade aws-healthomics-mcp-server to version 0.0.36 or later immediately, particularly in any environment processing sensitive clinical or genomic data. Additionally, review MCP agent input handling to ensure untrusted or user-supplied workflow_files inputs are validated and sandboxed before processing.
Original advisory: CVE-2026-15415 - Path traversal and arbitrary file write in the workflow linters of aws-healthomics-mcp-server