CVE-2026-15643 in healthlake-mcp-server
Summary
by MITRE • 07/15/2026
AWS HealthLake MCP Server (awslabs.healthlake-mcp-server) is a Model Context Protocol server that enables AI assistants to interact with AWS HealthLake FHIR datastores. A server-side request forgery in the pagination handling component in AWS awslabs.healthlake-mcp-server before 0.0.14 on all platforms might allow a remote authenticated user to exfiltrate AWS temporary security credentials to an arbitrary endpoint via a crafted next_token parameter. The server does not validate that pagination URLs point back to the expected HealthLake endpoint, allowing an actor to redirect subsequent requests to an actor-controlled server.
Its recommended to upgrade to version 0.0.14 or later.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The AWS HealthLake MCP Server represents a critical component in the healthcare data ecosystem, enabling AI assistants to interface with FHIR datastores through the Model Context Protocol. This server acts as an intermediary between artificial intelligence systems and medical data repositories, creating a sophisticated integration layer that facilitates advanced healthcare analytics and decision support. The vulnerability resides within the pagination handling mechanism, specifically in how the system processes next_token parameters during data retrieval operations. This flaw constitutes a server-side request forgery vulnerability that fundamentally compromises the integrity of the authentication and authorization framework.
The technical implementation of this vulnerability stems from insufficient input validation within the pagination component of the HealthLake MCP Server. When processing pagination requests, the system fails to validate that the next_token parameter references legitimate HealthLake endpoints rather than arbitrary external servers. This validation gap creates a pathway for malicious actors to manipulate the pagination flow and redirect subsequent requests to attacker-controlled infrastructure. The vulnerability specifically affects all platforms running versions prior to 0.0.14, indicating a widespread exposure across different deployment environments. According to CWE classification, this represents a variant of CWE-918 Server-Side Request Forgery, where the server is tricked into making unauthorized requests to internal or external systems.
The operational impact of this vulnerability extends far beyond simple data exfiltration, particularly within healthcare environments where AWS temporary security credentials carry significant privileges and access controls. An authenticated attacker can leverage this flaw to harvest temporary credentials that may contain access tokens to sensitive medical data repositories, potentially enabling broader lateral movement within the cloud infrastructure. The attack vector requires only a single authenticated session, making it particularly dangerous as it bypasses traditional network-level protections and directly targets the application layer. This vulnerability aligns with ATT&CK technique T1566.002 for initial access through spearphishing attachments and T1071.004 for application layer protocols, while also supporting credential access patterns under T1528.
Organizations utilizing AWS HealthLake MCP Server must prioritize immediate remediation through the recommended upgrade to version 0.0.14 or later, which includes proper validation of pagination URLs and enhanced input sanitization mechanisms. Additional mitigations should include network-level restrictions on outbound connections from the server, implementation of strict firewall rules to prevent communication with untrusted endpoints, and monitoring for anomalous request patterns that might indicate exploitation attempts. The vulnerability demonstrates the critical importance of validating all external references in web applications, particularly those handling sensitive healthcare data where credential exposure can have severe consequences for patient privacy and regulatory compliance. Security teams should also implement comprehensive logging and alerting around pagination-related activities to detect potential exploitation attempts.