Exposed MCP Servers Become Cloud Takeover Pivots

What is this?

A Model Context Protocol (MCP) server is the bridge that lets an AI agent call tools — run a query, hit an API, manage cloud resources. Two trends collided in spring 2026. First, Trend Micro researchers Alfredo Oliveira and David Fiser reported (April 28, 2026) that the number of MCP servers exposed on the public internet with no authentication and no encryption had nearly tripled, from 492 to 1,467. Second, critical command-injection flaws landed in popular cloud MCP implementations: CVE-2026-5058 and CVE-2026-5059 in the community aws-mcp-server (both CVSS 9.8, no authentication required, published April 10–11, 2026), plus an undisclosed Azure-side flaw tracked as ZDI-CAN-28042. The result is not just data exposure — it is a clean path from a vulnerable AI tool to full cloud-account compromise.

How it works

aws-mcp-server exposes an “allowed commands” handler that builds a shell command from a user-supplied string without proper neutralization (CWE-78, OS command injection). An attacker who can reach the endpoint injects shell metacharacters — ;, |, &&, backticks — alongside an arbitrary command, and the server executes them in its own process context. No credentials are needed.

The pivot is what makes this severe. Such servers typically run on a cloud VM (an EC2 instance, an Azure VM) that carries an attached IAM role so the agent can manage cloud resources on the user’s behalf. Once an attacker has code execution on that host, they query the instance metadata service:

GET http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE]

That returns temporary credentials for the VM’s IAM role. With those, the attacker steps off the MCP server and onto the cloud control plane — listing, reading, modifying, and deleting whatever the role can reach. Trend Micro describes the same chain leading to container breakout and VM escape.

Why it matters

This is the lethal pairing of remote code execution and ambient cloud credentials. An MCP server feels like an application component, so teams expose it on a convenience port and forget that the underlying host holds a powerful IAM role. Trend Micro’s scan found over 90% of exposed servers offered direct read access to their data sources, 1,227 still on the deprecated SSE transport, and tools like execute_sql reachable on 70 hosts — including at least three exposing patient medical records. The blast radius of a single command-injection bug is therefore the entire cloud account the server’s role can touch, not just the agent’s data.

Defenses

Treat MCP servers as cloud infrastructure, not experimental toys.

• Never expose MCP servers to the public internet. Bind to localhost or a private network; require authentication and TLS on every transport.
• Enforce IMDSv2 and hop limits. Require session-token metadata requests and set the response hop limit to 1 so a compromised process inside a container cannot reach the metadata endpoint as easily.
• Apply least privilege to the instance role. The VM hosting an MCP server should carry only the minimum IAM permissions; avoid broad * policies that turn one RCE into account takeover.
• Patch or replace vulnerable servers. No fixed version of aws-mcp-server was available at disclosure (affected <= 1.7.0); pin to a maintained, audited implementation and validate every tool argument server-side.
• Sandbox and monitor. Run MCP servers in isolated containers with egress filtering, and alert on metadata-service access and on unexpected execute_sql/shell tool invocations.
• Only install MCP servers from verified sources, and treat any externally supplied server configuration as untrusted input.

Status

Item	Detail
CVE-2026-5058 / CVE-2026-5059	aws-mcp-server, CVSS 9.8, CWE-78, no auth
Affected	aws-mcp <= 1.7.0; no patched version at disclosure
Azure flaw	ZDI-CAN-28042 (Microsoft), CVSS 9.8, details undisclosed
Exposure	1,467 public MCP servers (up from 492), per Trend Micro, April 28, 2026
Disclosure	NVD published CVE-2026-5059 on April 10, 2026 (ZDI-26-245)