TheNote
AWS Latest Bulletins Note
GooglePlay AppStore

AWS Latest Bulletins

The specified webpage from AWS is dedicated to security bulletins. It is one of the reliable sources of information dissemination for the latest security notices and updates. The bulletins primarily cover security advisories, out-of-band patches and other product security updates. These bulletins make it easier for users to stay updated with the latest security considerations, ensuring their infrastructure stays secure and compliant.
RSS aws.amazon.com
Latest Bulletins aws.amazon.com
RSS Hunter RSS Hunter Aug 19, 2024

Thread Of Notes

CVE-2026-12957 and CVE-2026-12958 - Issues in Language Servers for AWS and Amazon Q Developer Plugins

AWS has released an important security bulletin concerning Language Servers for AWS and Amazon Q Developer IDE plugins. Two vulnerabilities have been identified, requiring immediate attention. The first, CVE-2026-12957, is an improper trust boundary enforcement issue present in versions before 1.65.0. This could lead to automatic command execution if a local user opens a crafted workspace and trusts it. The second vulnerability, CVE-2026-12958, involves missing symlink validation. It affects versions prior to 1.69.0 and can be exploited through a maliciously crafted symlink pointing outside the workspace. Both vulnerabilities are present in the Amazon Q Developer IDE plugins, which utilize these language servers. These critical issues are resolved in Language Servers for AWS version 1.69.0. Affected products include various versions of the Amazon Q Developer IDE plugins for VS Code, JetBrains, Eclipse, and Visual Studio. Users are strongly advised to update to the latest versions to mitigate these risks. Further details and the most current information are available in the linked AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-047-aws/ aws.amazon.com
RSS Hunter RSS Hunter Jun 23

Issue with containerd CRI Plugin - CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262

AWS has issued a critical bulletin regarding vulnerabilities in containerd, a container runtime used by Kubernetes. Five specific issues have been identified in the containerd CRI plugin. These vulnerabilities affect versions 1.7 through 2.3 of containerd. The identified CVEs include local image tag poisoning, command execution via image configuration, CDI annotation smuggling, arbitrary host file reading, and a denial-of-service attack triggered by images. These issues impact a range of AWS managed container services. This includes Amazon EKS, Amazon ECS, AWS Fargate, Bottlerocket, and Amazon Linux. The bulletin urges users to pay close attention to these security findings. Users should consult the linked article for the most current and comprehensive details. Immediate action may be required to mitigate potential risks.
https://aws.amazon.com/security/security-bulletins/rss/2026-046-aws/ aws.amazon.com
RSS Hunter RSS Hunter Jun 19

CVE-2026-12530 - Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages()

AWS has released a security bulletin regarding the Bedrock AgentCore Python SDK. A vulnerability, identified as CVE-2026-12530, has been discovered in the install_packages() method of the Code Interpreter client. This method failed to sufficiently sanitize package name arguments used in shell commands. Specifically, an incomplete blocklist allowed crafted inputs to bypass validation. This bypass could exploit pip's --index-url flag to redirect package installation to a malicious third-party server. Additionally, the -r flag could be used to read and expose arbitrary files within the Code Interpreter sandbox. The vulnerable versions of the SDK range from 1.1.3 up to, but not including, 1.6.1. Developers using these versions are strongly advised to take immediate action. Further details and the most current information can be found in the provided article.
https://aws.amazon.com/security/security-bulletins/rss/2026-044-aws/ aws.amazon.com
RSS Hunter RSS Hunter Jun 17

CVE-2026-11931 - Insecure Permissions on Authentication Token Cache File in Kiro IDE

Bulletin ID: 2026-045-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/15/2026 11:45 AM PDT Description: Kiro IDE is an agentic development environment that makes it easy for developers to ship real engineering work with the help of AI agents. We identified CVE-2026-11931, where incorrect default permissions in Kiro IDE on macOS and Linux before version 0.11.133 could expose the authentication token cache file to other local users or processes via world-readable permissions (0644) instead of owner-restricted permissions (0600). Impacted versions: < 0.11.133 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-045-aws/ aws.amazon.com
RSS Hunter RSS Hunter Jun 15

CVE-2026-12043 - Heap double-free in AWS Common Runtime aws-c-http

Bulletin ID: 2026-043-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/12/2026 11:45 AM PDT Description: AWS Common Runtime aws-c-http is a HTTP client library used by AWS SDKs for handling http requests to AWS services. We identified CVE-2026-12043, an issue where improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2 HEADERS frames. Impacted versions: aws-c-http >= 0.4.22 AND <= 0.10.15 Exposed in following sdk versions: - aws-sdk-cpp >= 1.11.41, <= 1.11.814 - aws-sdk-java-v2 >= 2.44.27, <= 2.44.14 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-043-aws/ aws.amazon.com
RSS Hunter RSS Hunter Jun 12

CVE-2026-10740 - Excessive memory allocation in s2n-quic

Bulletin ID: 2026-042-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/10/2026 11:15 AM PDT Description: s2n-quic is a Rust implementation of the QUIC protocol. We identified CVE-2026-10740, an issue of unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.82.0. An unauthenticated user can attempt to exhaust server memory on an s2n-quic endpoint by sending crafted CRYPTO frames with high offsets. The buffer used for processing CRYPTO frames does not enforce a maximum size. In the worst case, a single 1200-byte packet can cause approximately 9.4 MB of allocation. By repeatedly sending such packets, the resulting memory pressure could cause denial of service. No valid handshake is required. Impacted versions: < v1.82.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-042-aws/ aws.amazon.com
RSS Hunter RSS Hunter Jun 10

CVE-2026-10740 - Excessive memory allocation in s2n-quic

Bulletin ID: 2026-041-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/10/2026 10:45 AM PDT Description: AWS CDK (aws-cdk-lib) is an open-source framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. We identified CVE-2026-11417, an OS command injection issue in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) that may allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the actor to control the value of one or more of the affected bundling properties in the CDK application. Impacted versions: < 2.245.0 (on Windows, < 2.246.0) Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-041-aws/ aws.amazon.com
RSS Hunter RSS Hunter Jun 10

CVE-2026-11393 - Code Injection via Improper Triple-Quote Escaping in AgentCore CLI Bedrock Agent Import

Bulletin ID: 2026-040-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/08/2026 11:45 AM PDT Description: The AWS AgentCore CLI (@aws/agentcore) is a developer tool for managing agent infrastructure lifecycle on Amazon Bedrock AgentCore. We identified CVE-2026-11393 in which improper neutralization of triple-quote characters during Python code generation may allow an authenticated user in the same AWS account to inject arbitrary Python code into the source file generated by the "agentcore add agent ‐‐type import" command. Specifically, the collaborationInstruction field of a Bedrock Agent collaborator association was interpolated into a triple-quoted Python docstring using single-quote escaping rather than triple-quote escaping. A user with bedrock:AssociateAgentCollaborator IAM permission could craft a collaborationInstruction value containing """ to break out of the docstring boundary in the generated main.py of the imported agent. If that generated file was subsequently executed - either via agentcore dev on the developer's local machine, or via agentcore deploy followed by agentcore invoke in the AgentCore Runtime environment - the injected Python would run with the credentials available in that context. Impacted versions: - @aws/agentcore >= 0.4.0 AND <= 0.14.1 - preview versions >= 0.3.0-preview.7.0 and <= 1.0.0-preview.8 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-040-aws/ aws.amazon.com
RSS Hunter RSS Hunter Jun 8

CVE-2026-11400 and CVE-2026-11401

Bulletin ID: 2026-039-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/025/2026 12:15 PM PDT Description: Amazon Aurora PostgreSQL a fully managed relational database engine that's compatible with PostgreSQL. We identified CVE-2026-11400(JDBC) and CVE-2026-11401(Go), an issue in AWS Wrappers for Amazon Aurora PostgreSQL will allow for privilege escalation to rds_superuser role. A low privilege authenticated user can create a crafted function that could be executed with permissions of other Amazon Relational Database Service (RDS) users. Impacted versions: - AWS Advanced JDBC Wrapper >=3.0.0 and < 4.0.1 - AWS Advanced Go Wrapper release 2026-04-06 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-039-aws/ aws.amazon.com
RSS Hunter RSS Hunter Jun 5

CVE-2026-10584 - HTTPS Fallback to HTTP in Graph Explorer

Bulletin ID: 2026-038-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/02/2026 12:15 PM PDT Description: Graph Explorer is an open source application that provides visualization and exploration of data in graph databases such as Amazon Neptune. We identified CVE-2026-10584 where, under certain circumstances, the server silently falls back to HTTP when HTTPS is enabled but certificates are unavailable, resulting in cleartext transmission of sensitive information. Impacted versions: >= 1.1.0 AND < 3.0.1 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-038-aws/ aws.amazon.com
RSS Hunter RSS Hunter Jun 2

CVE-2026-10591 - Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths

Bulletin ID: 2026-037-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 06/02/2026 08:45 AM PDT Description: Kiro is an agentic IDE users install on their desktop. We identified CVE-2026-10591. Insufficient access control restrictions in the file write tool in Kiro IDE prior to version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. Impacted versions: <0.11 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-037-aws/ aws.amazon.com
RSS Hunter RSS Hunter Jun 2

CVE-2026-9291 - Insecure Deserialization in Amazon Braket SDK Job Results Processing

A critical security vulnerability has been found in the Amazon Braket SDK, affecting versions 1.10.0 through 1.116.9. This vulnerability, identified as CVE-2026-9291, concerns an insecure deserialization issue within the job results processing. The deserialize_values() function incorrectly trusts the dataFormat field from JSON files. This field controls whether pickle.loads() is used to process data. A malicious actor with S3 write access can exploit this flaw. They can manipulate the dataFormat field to trigger arbitrary code execution. Specifically, they can change the format to pickled_v4 and inject malicious code. This allows remote authenticated users to execute code on machines processing job results. This could lead to a compromise of systems analyzing quantum job outputs. Users are strongly advised to consult the provided article for comprehensive details. Immediate action is required to address this significant security risk.
https://aws.amazon.com/security/security-bulletins/rss/2026-036-aws/ aws.amazon.com
RSS Hunter RSS Hunter May 22

CVE-2026-9255 - Tool Execution Without Authorization via Piped Stdin in Kiro CLI

Bulletin ID: 2026-035-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 05/22/2026 09:45 AM PDT Description: Kiro CLI is a command-line AI coding assistant that enables developers to interact with AI models to execute code, manage files, and run shell commands. We identified CVE-2026-9255, an issue where missing input source validation in the tool authorization prompt could allow a local actor to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin. Impacted versions: kiro-cli prior to 1.28.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-035-aws/ aws.amazon.com
RSS Hunter RSS Hunter May 22

CVE-2026-9133 - Arbitrary file read in rabbitmq-aws plugin

Bulletin ID: 2026-034-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 05/20/2026 12:45 PM PDT Description: rabbitmq-aws is a RabbitMQ plugin that resolves AWS ARNs in broker configuration at startup, fetching secrets (e.g., TLS certificates, private keys, passwords) from AWS services (Secrets Manager, S3, ACM Private CA) and passing them in-memory to RabbitMQ. We identified CVE-2026-9133, an active debug code issue in the plugin's ARN resolver. A debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file accessible to the RabbitMQ process. The debug code was inadvertently shipped in production builds with no mechanism to disable it. Impacted versions: >=0.1.0, <=0.2.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-034-aws/ aws.amazon.com
RSS Hunter RSS Hunter May 20

CVE-2026-8838 - Remote Code Execution in amazon-redshift-python-driver

Bulletin ID: 2026-033-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 05/18/2026 13:45 PM PDT Description: amazon-redshift-python-driver is the official Python connector for Amazon Redshift. We identified a code injection issue in versions 2.1.13 and earlier that could allow a rogue server or man-in-the-middle to execute arbitrary code on the client. Impacted versions: <=2.1.13 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-033-aws/ aws.amazon.com
RSS Hunter RSS Hunter May 18

CVE-2026-8686 - Heap out-of-bounds read in coreMQTT MQTT5 property parsing

Bulletin ID: 2026-032-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 05/15/2026 11:45 AM PDT Description: coreMQTT is a lightweight MQTT client library for embedded devices. We identified CVE-2026-8686, an issue where missing bounds validation in the MQTT v5.0 SUBACK and UNSUBACK property parser in coreMQTT before 5.0.1 allows an MQTT broker to cause a denial of service (crash via heap out-of-bounds read) by sending a crafted packet. Impacted versions: v5.0.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-032-aws/ aws.amazon.com
RSS Hunter RSS Hunter May 15

Issue with Amazon SageMaker Python SDK - Model artifact integrity verification issues (CVE-2026-8596 &: CVE-2026-8597)

This security bulletin addresses vulnerabilities in the Amazon SageMaker Python SDK, impacting model deployment. The ModelBuilder component of the SDK simplifies model deployment, but contains weaknesses. Two critical vulnerabilities are identified, categorized as CVE-2026-8596 and CVE-2026-8597. CVE-2026-8596 involves the insecure storage and exposure of an HMAC signing key. This key is stored in plaintext and accessible through SageMaker describe APIs. An attacker could exploit this to forge signatures and execute malicious code in inference containers. CVE-2026-8597 highlights a lack of integrity verification in the Triton inference handler. This flaw allows the deserialization of model artifacts without checks, enabling code execution through crafted pickle payloads. The affected versions are within specific ranges of the SageMaker Python SDK, namely versions 2.199.0 through 2.257.1 and 3.0.0 through 3.7.1. These vulnerabilities could lead to remote code execution within the SageMaker environment. This means an unauthorized user could potentially execute commands and compromise model integrity. Users should consult the linked security bulletin for detailed remediation steps. This bulletin emphasizes the importance of promptly addressing these critical security issues.
https://aws.amazon.com/security/security-bulletins/rss/2026-031-aws/ aws.amazon.com
RSS Hunter RSS Hunter May 14

Fragnesia Local Privilege Escalation report via ESP-in-TCP in the Linux Kernel

Bulletin ID: 2026-029-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 05/13/2026 18:45 PM PDT This is an ongoing issue. Information is subject to change. Please refer to our Security Bulletin (ID: 2026-030-AWS) for the most updated patching information. Description: Amazon is aware of CVE-2026-46300, a report of an additional privilege escalation issue in the Linux kernel related to the DirtyFrag, copy.fail class of issues (CVE-2026-43284). The proof of concept uses a vector via the loadable module espintcp. Amazon Linux does not provide this module, and is not affected. As defense in depth we will include a correctness patch to the core networking code to harden against possible similar issues in network protocol implementations that rely on this behavior.
https://aws.amazon.com/security/security-bulletins/rss/2026-029-aws/ aws.amazon.com
RSS Hunter RSS Hunter May 14

Ongoing updates on Copy.fail and variants

Bulletin ID: 2026-030-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 05/13/2026 10:00 PM PDT This is an ongoing issue. This bulletin will be updated as more information becomes available. Description: AWS is aware of the copy.fail or DirtyFrag class of issues - a set of privilege escalation issues affecting the Linux Kernel. We will update this bulletin as more information becomes available. Please see below for current patching timelines for affected services related to the Copy.fail kernel issue and all its variants. AWS recommends that customers apply all updates addressing these issues as soon as they are available. See more details at Security Bulletin (ID: 2026-030-AWS).
https://aws.amazon.com/security/security-bulletins/rss/2026-030-aws/ aws.amazon.com
RSS Hunter RSS Hunter May 14

CVE-2026-8178 - Remote Code Execution via Unsafe Class Loading in Amazon Redshift JDBC Driver

Bulletin ID: 2026-028-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/05/08 11:30 AM PDT Description: Amazon Redshift JDBC Driver is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs). We identified an issue in Amazon Redshift JDBC Driver versions prior to 2.2.2. Under certain conditions, the driver could load and execute arbitrary classes when processing JDBC connection URL parameters. An actor who can influence the connection URL could potentially execute code in the application context. Impacted versions: Amazon Redshift JDBC Driver < 2.2.2 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-028-aws/ aws.amazon.com
RSS Hunter RSS Hunter May 8

Dirty Frag and other issues in Amazon Linux kernels

Bulletin ID: 2026-027-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/05/07 19:45 PM PDT Description: Amazon is aware of a class of issues in the Linux kernel related to the original issue (CVE-2026-31431). The issues commonly referred to as "DirtyFrag" are present in a number of loadable modules, including xfrm_user/esp4/esp6 and ipcomp4/ipcomp6. On systems that allow unprivileged users to create sockets directly or through CAP_NET_ADMIN, or allow the creation of unprivileged user namespaces (user+net), an actor may gain access to kernel memory and thus escalate their privileges. Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-027-aws/ aws.amazon.com
RSS Hunter RSS Hunter May 8

CVE-2026-31431

Bulletin ID: 2026-026-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/05/06 17:30 PM PDT Description: Amazon is aware of an issue in the Linux kernel (CVE-2026-31431) that could potentially allow an authenticated local user to escalate privileges. With the exception of the services listed below, AWS customers are not affected. See below for specific guidance on affected services. As a best practice, AWS recommends that you apply all security patches and software version updates as soon as they become available. Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-026-aws/ aws.amazon.com
RSS Hunter RSS Hunter May 7

CVE-2026-7791 - Local Privilege Escalation via TOCTOU Race Condition in Amazon WorkSpaces Skylight Agent

Bulletin ID: 2026-025-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/05/04 15:30 PM PDT Description: Amazon Skylight Workspace Config Service ( slwsconfigservice) is a critical background service within Amazon WorkSpaces that manages system configuration, monitors health, and updates components. We identified CVE-2026-7791 which allows a local non-admin authenticated user to escalate privileges to SYSTEM by exploiting a race condition in the Skylight Workspace Config Service's log file archival process. Impacted versions: < 2.6.2034.0 of the Windows Amazon Skylight Workspace Config Service (slwsconfigservice) Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-025-aws/ aws.amazon.com
RSS Hunter RSS Hunter May 4

CVE-2026-7461 - OS Command Injection in Amazon ECS Agent via FSx Windows File Server Volume Credentials

Bulletin ID: 2026-024-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/30 13:30 PM PDT Description: Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that enables customers to deploy, manage, and scale containerized applications. The Amazon ECS agent supports mounting FSx for Windows File Server volumes in task definitions on Windows EC2 instances. We identified CVE-2026-7461, a command injection issue in FSx volume mounting that enables code execution with SYSTEM privileges via a specially crafted credentials in ECS task definitions. Impacted versions: Version 1.47.0 through 1.102.2 of the ECS Agent for Windows Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-024-aws/ aws.amazon.com
RSS Hunter RSS Hunter May 1

Issue with FreeRTOS-Plus-TCP - IPv6 Router Advertisement Memory Safety Issues

Bulletin ID: 2026-023-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/29 12:30 PM PDT Description: FreeRTOS-Plus-TCP is an open source TCP/IP stack implementation designed for FreeRTOS, providing a standard Berkeley sockets interface and support for essential networking protocols including IPv6, ARP, DHCP, DNS, and Router Advertisement (RA). We identified CVE-2026-7425 and CVE-2026-7426, one of them being out-of-bounds read and another one being out-of-bounds write issues respectively in the IPv6 Router Advertisement option parser where insufficient validation of length fields allows memory operations without proper bounds checking. Either issue can be exploited by any device on the local network that can send crafted Router Advertisement packets. No authentication or user interaction is required. Impacted versions: >=V4.0.0 AND <=V4.2.5, >=V4.3.0 AND <=V4.4.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-023-aws/ aws.amazon.com
RSS Hunter RSS Hunter Apr 29

CVE-2026-7424 - Integer Underflow in DHCPv6 Sub-Option Parser in FreeRTOS-Plus-TCP

Bulletin ID: 2026-022-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/29 12:20 PM PDT Description: FreeRTOS-Plus-TCP is an open-source, scalable TCP/IP stack for FreeRTOS. We identified CVE-2026-7424, where an integer underflow issue in the DHCPv6 sub-option parser could allow an adjacent network user to corrupt the device's IPv6 address assignment, DNS configuration, and lease times, and to cause a denial of service (IP task freeze requiring hardware reset). Impacted versions: FreeRTOS-Plus-TCP >=V4.0.0 AND <=V4.2.5, >=V4.3.0 AND <= V4.4.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-022-aws/ aws.amazon.com
RSS Hunter RSS Hunter Apr 29

Issue with FreeRTOS-Plus-TCP - MAC Address Validation Bypass and ICMP Echo Reply Integer Underflow

Bulletin ID: 2026-021-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/29 12:00 PM PDT Description: FreeRTOS-Plus-TCP is a scalable, open source, and thread-safe TCP/IP stack for FreeRTOS. - CVE-2026-7422: Insufficient packet validation in the IPv4 and IPv6 receive paths allows an adjacent network device to send a packet that bypasses checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the target device's own registered endpoints. - CVE-2026-7423: Integer underflow in the ICMP and ICMPv6 echo reply handlers allows an adjacent network device to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read. Impacted versions: >=V4.0.0 AND <=V4.2.5, >=V4.3.0 AND <=V4.4.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-021-aws/ aws.amazon.com
RSS Hunter RSS Hunter Apr 29

CVE-2026-7191- Arbitrary Code Execution via Sandbox Bypass in QnABot on AWS

Bulletin ID: 2026-020-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/27 13:15 PM PDT Description: QnABot on AWS is an open-source solution that provides a multi-channel, multi-language conversational interface powered by Amazon Lex, Amazon OpenSearch Service, and optionally Amazon Bedrock. We identified CVE-2026-7191, where the improper use of the static-eval npm package may allow an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context. By injecting a crafted conditional chaining expression via the Content Designer interface, an actor with Admin access could bypass the intended expression sandbox through JavaScript prototype manipulation. Successful exploitation may grant direct access to backend resources, including Lambda environment variables, OpenSearch indices, S3 objects, and DynamoDB tables, that are not exposed through normal administrative interfaces. Impacted versions: <=7.2.4 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-020-aws/ aws.amazon.com
RSS Hunter RSS Hunter Apr 27

Issues in tough library and tuftool CLI utility

This AWS security bulletin, published on April 24, 2026, addresses vulnerabilities in the "tough" library and "tuftool" CLI utility. Multiple security issues, identified as CVE-2026-6966, CVE-2026-6967, and CVE-2026-6968, have been discovered. The impacted versions include "tough" versions 0.1.0 through 0.21.x and "tuftool" versions 0.1.0 through 0.14.x. Users are advised to review the provided article for comprehensive details and necessary remediation steps.
https://aws.amazon.com/security/security-bulletins/rss/2026-019-aws/ aws.amazon.com
RSS Hunter RSS Hunter Apr 24

Issue with AWS Ops Wheel (CVE-2026-6911 and CVE-2026-6912

Bulletin ID: 2026-018-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/24 09:15 AM PDT Description: AWS Ops Wheel is an open-source tool that helps teams make random selections using a virtual spinning wheel, deployed into customer AWS accounts via CloudFormation. CVE-2026-6911 relates to an issue where JWT token signature verification was not enforced in the v2 API. CVE-2026-6912 relates to an issue in the v2 Cognito User Pool configuration where attribute write permissions were insufficiently restricted. Impacted versions: AWS Ops Wheel v2 deployments PR-163 and earlier Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-018-aws/ aws.amazon.com
RSS Hunter RSS Hunter Apr 24

CVE-2026-6550 - Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python

Bulletin ID: 2026-017-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/20 12:45 PM PDT Description: AWS Encryption SDK (ESDK) for Python is a client-side encryption library. We identified CVE-2026-6550, which describes an issue with a key commitment policy bypass via shared key cache. Cryptographic algorithm downgrade in the caching layer of Amazon AWS Encryption SDK for Python before version 3.3.1 and before version 4.0.5 might allow an authenticated local threat actor to bypass key commitment policy enforcement via a shared key cache, resulting in ciphertext that can be decrypted to multiple different plaintexts. Impacted versions: - From 2.0 to 2.5.1 - From 3.0 to 3.3.0 - From 4.0 to 4.0.4 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-017-aws/ aws.amazon.com
RSS Hunter RSS Hunter Apr 20

CVE-2026-6437 - Mount Option Injection in Amazon EFS CSI Driver

Bulletin ID: 2026-016-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/17 11:15 AM PDT Description: The Amazon EFS CSI Driver is a Container Storage Interface driver that allows Kubernetes clusters to use Amazon Elastic File System. We identified CVE-2026-6437, where an actor with PersistentVolume creation privileges can inject arbitrary mount options via two unsanitized fields: the Access Point ID in volumeHandle and the mounttargetip volumeAttribute. In both cases, appending comma-separated values causes the mount utility to parse them as separate mount options. No AWS service is affected. Impacted versions: EFS CSI Driver <&equal; v3.0.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-016-aws/ aws.amazon.com
RSS Hunter RSS Hunter Apr 17

CVE-2026-5747 - Out-of-bounds Write in Firecracker virtio-pci Transport

Bulletin ID: 2026-015-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/07 15:30 PM PDT Description: Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services. We identified CVE-2026-5747, an out-of-bounds write issue in the virtio PCI transport in Firecracker 1.13.0 through 1.14.3 and 1.15.0 on x86_64 and aarch64 that might allow a local guest user with root privileges to crash the Firecracker VMM process or potentially execute arbitrary code on the host via modification of virtio queue configuration registers after device activation. Achieving code execution on the host requires additional preconditions, such as the use of a custom guest kernel or specific snapshot configurations. No AWS service is affected. Impacted versions: Firecracker >= 1.13.0 AND <= 1.14.3 AND 1.15.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-015-aws/ aws.amazon.com
RSS Hunter RSS Hunter Apr 14

Issues with AWS Research and Engineering Studio (RES)

Bulletin ID: 2026-014-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/06 14:00 PM PDT Description: Research and Engineering Studio (RES) on AWS is an open source, web portal design for administrators to create and manage secure cloud-based research and engineering environments. We have identified the following issues with the AWS Research and Engineering Studio (RES). CVE-2026-5707: Unsanitized input in an OS Command in the virtual desktop session name handling in AWS Research and Engineering Studio (RES) version 2025.03 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands as root on the virtual desktop host via a crafted session name. CVE-2026-5708: Improper control of user-modifiable attributes in the session creation component in AWS Research and Engineering Studio (RES) before version 2026.03 might allow an authenticated remote user to escalate privileges and assume the Virtual Desktop Host instance profile permissions and interact with other AWS resources and services via a crafted API request. CVE-2026-5709: Unsanitized input in the FileBrowser API in AWS Research and Engineering Studio (RES) version 2024.10 through 2025.12.01 might allow a remote authenticated actor to execute arbitrary commands on the cluster-manager EC2 instance via crafted input when using the FileBrowser functionality. Impacted versions: <= 2025.12.01 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-014-aws/ aws.amazon.com
RSS Hunter RSS Hunter Apr 14

Issues with Amazon Athena ODBC Driver

This Amazon Security Bulletin details important vulnerabilities found in the Amazon Athena ODBC driver, which provides C/C++ applications access to Amazon Athena on Windows, Linux, and Mac. The driver implements standard ODBC APIs. Six CVEs were identified, ranging from OS command injection to improper certificate validation and insufficient authentication controls. Specifically, CVE-2026-5485, an OS command injection flaw, affected only Linux systems and was resolved in version 2.0.5.1. The other five vulnerabilities, CVE-2026-35558 through CVE-2026-35562, impacted all supported platforms. These remaining issues included improper neutralization of special elements, out-of-bounds write errors, improper certificate validation, insufficient authentication controls, and resource allocation without limits. All five of these broader vulnerabilities were successfully addressed in version 2.1.0.0 of the Amazon Athena ODBC driver. Users are strongly advised to update their drivers to the patched versions to mitigate these security risks. Referencing the provided article will offer the most current and comprehensive information regarding this security bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-013-aws/ aws.amazon.com
RSS Hunter RSS Hunter Apr 14

CVE-2026-5429 - Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme

Bulletin ID: 2026-012-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/02 11:30 AM PDT Description: Kiro IDE is an agentic development environment that makes it easy for developers to ship real engineering work with the help of AI agents. We identified CVE-2026-5429, where unsanitized input during web page generation in the Kiro Agent webview in Kiro IDE before version 0.8.140 allows a remote unauthenticated threat actor to execute arbitrary code via a maliciously crafted color theme name when a local user opens the workspace. This issue requires the user to trust the workspace when prompted. Impacted versions: < 0.8.140 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-012-aws/ aws.amazon.com
RSS Hunter RSS Hunter Apr 14

CVE-2026-5190 - AWS C Event Stream Streaming Decoder Stack Buffer Overflow

AWS has identified a critical vulnerability, CVE-2026-5190, in the AWS Common Runtime library's event-stream decoder component. This flaw could enable a malicious server to trigger memory corruption and arbitrary code execution on client applications processing specially crafted event-stream messages. The vulnerability affects versions of aws-c-event-stream prior to 0.6.0, as well as several higher-level AWS SDKs that expose event-stream functionality. Users are urged to update to the specified patched versions of the impacted libraries as soon as possible to mitigate this risk. Refer to the official AWS article for comprehensive and current details on this security bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-011-aws/ aws.amazon.com
RSS Hunter RSS Hunter Apr 14

CVE-2026-4428: Issues with AWS-LC - CRL Distribution Point Scope Check Logic Error

AWS has issued a security bulletin regarding a vulnerability in its cryptographic library, AWS-LC. The vulnerability, identified as CVE-2026-4428, affects X.509 certificate verification processes. It stems from a logic error within the CRL distribution point matching mechanism of AWS-LC. This error allows revoked certificates to potentially bypass revocation checks in specific scenarios. The vulnerability arises when CRL checking is enabled within the application. It specifically impacts applications that utilize partitioned CRLs incorporating Issuing Distribution Point (IDP) extensions. Therefore, applications without CRL checking are not vulnerable to this issue. Additionally, applications using complete non-partitioned CRLs without IDP extensions are also safe. The affected versions of AWS-LC and related components, including AWS-LC-FIPS, are detailed in the bulletin. Users are encouraged to consult the provided article for comprehensive details and the latest updates. This security bulletin is classified as important and requires attention from affected users. The bulletin was published on March 19, 2026.
https://aws.amazon.com/security/security-bulletins/rss/2026-010-aws/ aws.amazon.com
RSS Hunter RSS Hunter Mar 19

Arbitrary code execution via crafted project files in Kiro IDE

Bulletin ID: 2026-009-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/03/17 12:15 PM PDT Description: Kiro is an AI-powered IDE for agentic software development. We identified CVE-2026-4295, where improper trust boundary enforcement allowed arbitrary code execution when a user opened a maliciously crafted project directory. Impacted versions: < 0.8.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-009-aws/ aws.amazon.com
RSS Hunter RSS Hunter Mar 17

CVE-2026-4269 - Improper S3 ownership verification in Bedrock AgentCore Starter Toolkit

Bulletin ID: 2026-008-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/03/16 11:15 AM PDT Description: A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit before version v0.1.13 may allow a remote actor to inject code during the build process, leading to code execution in the AgentCore Runtime. Impacted versions: All versions of Bedrock AgentCore Starter Toolkit versions before v0.1.13. This issue only affects users of the Bedrock AgentCore Starter Toolkit before version v0.1.13 who build the Toolkit after September 24, 2025. Any users on a version >=v0.1.13, and any users on previous versions who built the toolkit before September 24, 2025 are not affected. Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-008-aws/ aws.amazon.com
RSS Hunter RSS Hunter Mar 16

CVE-2026-4270 - AWS API MCP File Access Restriction Bypass

This AWS security bulletin, ID 2026-007, concerns the AWS API MCP Server, an open-source tool facilitating AI assistant interaction with AWS. The MCP Server utilizes AWS CLI commands, allowing users to manage AWS resources programmatically. Its configurable file access feature controls CLI interactions with the local file system using options like workdir, unrestricted, and no-access. A vulnerability, CVE-2026-4270, has been identified in the file access restrictions of versions 0.2.14 through 1.3.8. This vulnerability allows potential bypasses of intended file access limitations. Specifically, it affects the "no-access" and "workdir" configurations, potentially revealing arbitrary local file contents. This vulnerability poses a security risk by potentially exposing sensitive information. Impacted versions of the awslabs.aws-api-mcp-server are >= 0.2.14 and < 1.3.9. Users should consult the provided article for comprehensive details and remediation instructions. This bulletin requires immediate attention due to the potential security implications. The publication date of the bulletin is March 16, 2026.
https://aws.amazon.com/security/security-bulletins/rss/2026-007-aws/ aws.amazon.com
RSS Hunter RSS Hunter Mar 16

MariaDB Server Audit Plugin Comment Handling Bypass

Bulletin ID: 2026-006-AWS Scope: AWS Content Type: Informational Publication Date: 2026/03/03 10:15 AM PST Description: Amazon RDS/Aurora is a managed relational database service. We identified CVE-2026-3494. In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (‐‐) or hash (#) style comments, the statement is not logged. Impacted versions: - MariaDB Server (10.6.24 and prior, 10.11.15 and prior, 11.4.9 and prior, and 11.8.5 and prior) - Amazon Aurora MySQL (2.12.5 and prior, 3.01.0 to 3.04.5, 3.05.1 to 3.10.2, and 3.11.0) - Amazon RDS for MySQL (5.7.44-RDS.20251212 and prior, 8.0.11 to 8.0.44, and 8.4.3 to 8.4.7) - Amazon RDS for MariaDB (10.6.24 and prior, 10.11.4 to 10.11.15, 11.4.3 to 11.4.9, and 11.8.3 to 11.8.5) Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-006-aws/ aws.amazon.com
RSS Hunter RSS Hunter Mar 3

Issue with AWS-LC: an open-source, general-purpose cryptographic library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338)

AWS has issued an important security bulletin regarding its open-source cryptographic library, AWS-LC. Three critical vulnerabilities were discovered within the library. The first vulnerability, CVE-2026-3336, concerns a certificate chain validation bypass in the PKCS7_verify function. This flaw allows unauthorized users to bypass verification when handling PKCS7 objects with multiple signers. The second vulnerability, CVE-2026-3337, involves a timing side-channel in AES-CCM tag verification. This vulnerability could allow attackers to determine tag validity through timing analysis during decryption. The third vulnerability, CVE-2026-3338, is a signature validation bypass within PKCS7_verify. It allows an attacker to bypass signature verification when processing PKCS7 objects featuring authenticated attributes. These vulnerabilities affect various versions of AWS-LC and aws-lc-sys, including FIPS compliant versions. Affected versions are specified for each vulnerability in the bulletin. Users are urged to check the bulletin for a complete list of impacted versions. The bulletin recommends referring to the provided article for detailed information and the latest updates. Action is required to address these security issues.
https://aws.amazon.com/security/security-bulletins/rss/2026-005-aws/ aws.amazon.com
RSS Hunter RSS Hunter Mar 2

Security Findings in SageMaker Python SDK

AWS released a security bulletin detailing two vulnerabilities within the SageMaker Python SDK. The first vulnerability, CVE-2026-1777, concerns an exposed HMAC key used for protecting data integrity. This key is stored in environment variables and disclosed through the DescribeTrainingJob API. Attackers with DescribeTrainingJob permissions can extract this key, manipulate data, and overwrite S3 objects. Impacted versions include specific builds within the v2 and v3 versions of the SDK. The second vulnerability, CVE-2026-1778, involves an insecure TLS configuration. This issue globally disables SSL certificate verification in the Triton Python backend. This configuration was introduced to bypass SSL errors when downloading models from public sources. This invalidates the security of HTTPS connections when the Triton Python model is imported. The vulnerability impacts specific builds within the v2 and v3 versions of the SDK as well. These vulnerabilities can be exploited to compromise the integrity and security of SageMaker model training and deployment. Users are advised to review the provided article for comprehensive information and remediation steps. Immediate attention is required to address these critical security risks. The bulletin emphasizes the importance of promptly updating to the patched SDK versions. By addressing these issues, users can protect their machine-learning workflows on AWS.
https://aws.amazon.com/security/security-bulletins/rss/2026-004-aws/ aws.amazon.com
RSS Hunter RSS Hunter Feb 2

CVE-2026-1386 - Arbitrary Host File Overwrite via Symlink in Firecracker Jailer

Bulletin ID: 2026-003-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/01/23 12:30 PM PST Description: Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services. Firecracker runs in user space and uses the Linux Kernel-based Virtual Machine (KVM) to create microVMs. Each Firecracker microVM is further isolated with common Linux user-space security barriers by a companion program called "jailer". The jailer provides a second line of defense in case a user escapes from the microVM boundaries and it is released at each Firecracker version. We are aware of CVE-2026-1386, an issue that is related to the Firecracker jailer, which under certain circumstances can allow an user to overwrite arbitrary files in the host filesystem. AWS services that use Firecracker are not impacted by the issue as we appropriately restrict access to the host and the jailer folder, blocking the preconditions required for the attack to happen. Impacted versions: Firecracker version v1.13.1 and earlier and 1.14.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-003-aws/ aws.amazon.com
RSS Hunter RSS Hunter Jan 23

Unanchored ACCOUNT_ID webhook filters for CodeBuild

Bulletin ID: 2026-002-AWS Scope: AWS Content Type: Informational Publication Date: 2026/01/15 07:03 AM PST Description: A security research team identified a configuration issue affecting the following AWS-managed open source GitHub repositories that could have resulted in the introduction of inappropriate code: - aws-sdk-js-v3 - aws-lc - amazon-corretto-crypto-provider - awslabs/open-data-registry Specifically, researchers identified the above repositories' configured regular expressions for AWS CodeBuild webhook filters intended to limit trusted actor IDs were insufficient, allowing a predictably acquired actor ID to gain administrative permissions for the affected repositories. We can confirm these were project-specific misconfigurations in webhook actor ID filters for these repositories and not an issue in the CodeBuild service itself. The researchers carefully demonstrated the potential to commit inappropriate code, through an empty code commit, to one repository and promptly informed AWS Security of their research activity and its potential negative impact. No inappropriate code was introduced to any of the affected repositories during this security research activity, the demonstrated empty code commit to one repository had no impact to any AWS customer environments and did not impact any AWS services or infrastructure. No customer action is required. Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-002-aws/ aws.amazon.com
RSS Hunter RSS Hunter Jan 15

CVE-2026-0830 - Command Injection in Kiro GitLab Merge Request Helper

Bulletin ID: 2026-001-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/01/09 13:15 PM PST Description: Kiro is an agentic IDE users install on their desktop. We identified CVE-2026-0830 where opening a maliciously crafted workspace may lead to arbitrary command injection in Kiro IDE before Kiro version 0.6.18. This may occur if the workspace has specially crafted folder names within the workspace containing injected commands. Resolution: Kiro IDE <0.6.18 Please refer to the article below for the most up-to-date information related to this AWS Security Bulletin.
https://aws.amazon.com/security/security-bulletins/rss/2026-001-aws/ aws.amazon.com
RSS Hunter RSS Hunter Jan 9

Key Commitment Issues in S3 Encryption Clients

AWS has announced a critical security bulletin, AWS-2025-032, requiring immediate attention. This bulletin addresses vulnerabilities in S3 Encryption Clients across multiple programming languages. The identified CVEs relate to key commitment issues within these encryption clients. Specifically, the vulnerabilities impact Java, Go, .NET, C++, PHP, and Ruby S3 Encryption Clients. These clients are used for encrypting and decrypting data stored in S3. The core issue arises when encrypted data keys (EDKs) are stored in instruction files. This storage method exposes EDKs to potential attacks like the "Invisible Salamanders" attack. This attack can manipulate and replace the EDK, compromising data security. The bulletin provides a list of affected versions across languages. Users are urged to upgrade their S3 Encryption Clients to patched versions. Patches include the following versions or later: Java (3.5.0), Go (3.1.0), .NET (3.1), C++ (1.11.711), PHP (3.367.0), and Ruby (1.207.0).
https://aws.amazon.com/security/security-bulletins/rss/aws-2025-032/ aws.amazon.com
RSS Hunter RSS Hunter Dec 17, 2025

Overly Permissive Trust Policy in Harmonix on AWS EKS

Bulletin ID: AWS-2025-031 Scope: AWS Content Type: Informational Publication Date: 2025/12/15 11:45 AM PST Description: Harmonix on AWS is an open source reference architecture and implementation of a Developer Platform that extends the CNCF Backstage project. We identified CVE-2025-14503 where an overly-permissive IAM trust policy in the Harmonix on AWS framework may allow authenticated users to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any account principal with sts:AssumeRole permissions to assume the role with administrative privileges. Resolution: v0.3.0 through v0.4.1
https://aws.amazon.com/security/security-bulletins/rss/aws-2025-031/ aws.amazon.com
RSS Hunter RSS Hunter Dec 15, 2025

CVE-2025-66478: RCE in React Server Components

Bulletin ID: AWS-2025-030 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/12/03 20:00 PM PST Description: AWS is aware of the recently disclosed CVE-2025-55182 which affects the React Server Flight protocol in React versions 19.0, 19.1, and 19.2, as well as in Next.js versions 15.x, 16.x, Next.js 14.3.0-canary.77 and later canary releases when using App Router. This issue may permit unauthorized remote code execution on affected applications servers. AWS is aware of CVE-2025-66478, which has been rejected as a duplicate of CVE-2025-55182. Customers using managed AWS services are not affected, and no action is required. Customers running an affected version of React or Next.js in their own environments should update to the latest patched versions immediately: - Customers using React 19.x, with Server Functions and RSC Components should update to the latest patched versions 19.0.1, 19.1.2, and 19.2.1 - Customers using Next.js 15-16 with App Router should update to a patched version
https://aws.amazon.com/security/security-bulletins/rss/aws-2025-030/ aws.amazon.com
RSS Hunter RSS Hunter Dec 4, 2025