External risk intelligence

AWS HealthLake MCP Server Server-Side Request Forgery.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-15643

The component is a Model Context Protocol server used to connect AI assistants to AWS HealthLake. While typically deployed in internal development or enterprise application environments to facilitate AI workflows, it is not inherently a public-facing gateway or edge service, making internet exposure dependent on specific, less common deployment configurations.

Server-Side Request Forgery

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in the AWS HealthLake MCP Server, which facilitates AI assistant interaction with health data. The issue could allow an authenticated user to exfiltrate temporary AWS security credentials to an attacker-controlled server. The main concern is confirming relevance and exposure within your environment.

  • A security flaw could leak sensitive access credentials.
  • Protects AI-driven health data access and credentials.
  • Verify if your AI assistant interactions are affected.

Attack Path

How an attacker could exploit the issue

An attacker with authenticated access could exploit a server-side request forgery vulnerability in the pagination handling of the AWS HealthLake MCP Server. By manipulating a `next_token` parameter, the attacker can trick the server into sending AWS temporary security credentials to an arbitrary endpoint. This occurs because the server fails to validate that pagination URLs remain within the expected HealthLake endpoint, allowing redirection to an attacker-controlled server.

  • Authenticated user.
  • Crafted `next_token` parameter.
  • Exfiltrate AWS temporary credentials.

Live Threat

Current exploitation, exposure, and threat context

A server-side request forgery vulnerability exists in the pagination handling component of the AWS HealthLake MCP Server. When supported by the advisory's conditions, a remote authenticated user could potentially exfiltrate AWS temporary security credentials to an attacker-controlled server by manipulating the `next_token` parameter. This occurs because the server does not sufficiently validate that pagination URLs are directed back to the expected HealthLake endpoint, redirecting subsequent requests.

  • AWS temporary security credentials.
  • Crafted `next_token` parameter.
  • Credentials exfiltrated to arbitrary endpoint.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world action for this vulnerability falls to teams managing AWS HealthLake and the AI assistants interacting with it. The first practical step is to identify all instances of the affected `awslabs.healthlake-mcp-server`, determine their reachability and criticality, and confirm the accountable owner for remediation planning.

  • Identify and confirm affected instances.
  • Verify business criticality and exposure.
  • Plan and coordinate remediation efforts.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the AWS HealthLake MCP Server?

It is a specialized software component—specifically a Model Context Protocol (MCP) server—designed to act as a bridge. It enables AI assistants to query and interact with AWS HealthLake, which stores and manages healthcare data in the FHIR format. By using this server, developers can integrate AI capabilities directly into their health-data workflows, allowing assistants to process or summarize clinical information stored in the cloud.

What does CVE-2026-15643 mean for security?

This vulnerability is a Server-Side Request Forgery (SSRF), categorized as CWE-918. It means the software does not properly check where it sends data when paginating through results. Because it fails to verify that a pagination URL points to the legitimate AWS HealthLake service, an attacker can trick the server into sending sensitive information, such as AWS temporary security credentials, to an arbitrary location they control.

How can an attacker trigger this vulnerability?

To trigger the bug, an attacker must have authenticated access to the system and provide a specifically crafted 'next_token' parameter during a data request. The flaw is not triggered by standard, legitimate interaction with the HealthLake service. It only occurs when the server is manipulated into misdirecting its internal requests to an unintended, attacker-supplied endpoint instead of the intended destination.

Do I need to worry about this vulnerability?

According to Halo Surface Signal, this component is generally used within internal development or enterprise AI workflows. While it is not typically an internet-facing gateway, your risk depends on your specific deployment. If your MCP server is configured to be accessible from public networks or is integrated into complex environments, the likelihood of unauthorized interaction increases.

How should I respond to this threat advisory?

The most effective first step is to locate all instances of 'awslabs.healthlake-mcp-server' within your environment. Once identified, evaluate their network accessibility and business function. If you are running a version older than 0.0.14, your primary action is to upgrade to version 0.0.14 or later to resolve the pagination validation issue.

References