This AWS security bulletin, ID 2026-007, concerns the AWS API MCP Server, an open-source tool facilitating AI assistant interaction with AWS. The MCP Server utilizes AWS CLI commands, allowing users to manage AWS resources programmatically. Its configurable file access feature controls CLI interactions with the local file system using options like workdir, unrestricted, and no-access. A vulnerability, CVE-2026-4270, has been identified in the file access restrictions of versions 0.2.14 through 1.3.8. This vulnerability allows potential bypasses of intended file access limitations. Specifically, it affects the "no-access" and "workdir" configurations, potentially revealing arbitrary local file contents. This vulnerability poses a security risk by potentially exposing sensitive information. Impacted versions of the awslabs.aws-api-mcp-server are >= 0.2.14 and < 1.3.9. Users should consult the provided article for comprehensive details and remediation instructions. This bulletin requires immediate attention due to the potential security implications. The publication date of the bulletin is March 16, 2026.