Aws Aws

  1. Vendors
  2. Aws

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Aws product.

RSS Feeds for Aws security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Aws products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Aws Sorted by Most Security Vulnerabilities since 2018

Aws Ops Wheel2 vulnerabilities

Aws Agentcore Cli1 vulnerability

Aws Amazon Braket Python Sdk1 vulnerability

Aws Amazon Ecs Agent1 vulnerability

Aws Amazon Redshift Connector Python1 vulnerability

Aws Advanced Go Wrapper1 vulnerability

Aws Advanced Jdbc Wrapper1 vulnerability

Aws C Http1 vulnerability

Aws Cloud Development Kit Library1 vulnerability

Aws Graph Explorer1 vulnerability

Aws Kiro Cli1 vulnerability

Aws Kiro Ide1 vulnerability

Qnabot On Aws1 vulnerability

Rabbitmq Aws1 vulnerability

Aws S2n Quic1 vulnerability

By the Year

In 2026 there have been 21 vulnerabilities in Aws with an average score of 7.7 out of ten.

Year Vulnerabilities Average Score
2026 21 7.67

It may take a day or so for new Aws vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Aws Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-12043 Jun 12, 2026
AWS Common Runtime aws-c-http 0.11.0: HPACK CVE-2026-12043 Improper handling of HPACK dynamic table size updates in the AWS Common Runtime aws-c-http library might allow a remote threat actor operating a server to cause memory corruption on a connecting client application, potentially leading to arbitrary code execution, via a crafted sequence of HTTP/2 HEADERS frames. To remediate this issue, users should upgrade to aws-c-http version 0.11.0.
Aws C Http
CVE-2026-10740 Jun 10, 2026
s2n-quic 1.8.2+ Unbounded CRYPTO frame reassembler DoS Unbounded memory allocation in the CRYPTO frame reassembler in s2n-quic before 1.8.2 may allow an unauthenticated remote actor to cause a denial of service (degraded availability) by sending crafted QUIC Initial packets. To remediate this issue, users should upgrade to v1.8.2.
S2n Quic
CVE-2026-11417 Jun 10, 2026
OS Command Injection NodejsFunction bundling in aws-cdk-lib <2.245.0 OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application. To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.
Aws Cloud Development Kit Library
CVE-2026-11393 Jun 08, 2026
CVE-2026-11393: AgentCore CLI v<0.14.2 RCE via triplequote code gen Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of another user in the same AWS account, via a crafted collaborationInstruction stored on a Bedrock Agent collaborator and later processed by that other user during agent import. To remediate this issue, users should upgrade to version 0.14.2.
Agentcore Cli
CVE-2026-11401 Jun 05, 2026
AWS Adv Go Wrapper GDBP Untrusted Search Path Escalation An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced Go Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through the affected wrapper. To remediate this issue, users should upgrade to the AWS Advanced Go Wrapper release 2026-05-26
Aws Advanced Go Wrapper
CVE-2026-11400 Jun 05, 2026
AWS Advanced JDBC Wrapper 4.0.0 GlobalDatabasePlugin Search Path Escalation An untrusted search path issue in the GlobalDatabasePlugin in the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL will allow a remote authenticated low-privilege actor to escalate privileges to those of another Amazon RDS user, including rds_superuser, via a crafted function created by the actor that runs when that user connects to the cluster through an affected wrapper. To remediate this issue, users should upgrade to AWS Advanced JDBC Wrapper version 4.0.1.
Aws Advanced Jdbc Wrapper
CVE-2026-10584 Jun 02, 2026
Graph Explorer v<3.0.1 HTTP Fallback Enables HTTPS Interception Proxy server in Graph Explorer before 3.0.1 falls back to HTTP when certificate files are missing, which might allow remote threat actors to obtain sensitive information via interception of requests intended to be sent over HTTPS. To remediate this issue, users should upgrade to Graph Explorer v3.0.1 or later.
Graph Explorer
CVE-2026-10591 Jun 02, 2026
Amazon Kiro IDE <0.11 File Write CA Remote Exec Insufficient access control restrictions in the file write tool in Amazon Kiro IDE before version 0.11 might allow remote unauthenticated actors to execute arbitrary commands via crafted instructions that cause writes to execution-sensitive paths (such as .vscode/tasks.json), enabling auto-execution on folder open. To remediate this issue, users should upgrade to Kiro IDE version 0.11 or later.
Kiro Ide
CVE-2026-9291 May 22, 2026
Amazon Braket SDK 1.117.0 Fix: Insecure Deserialization (Remote Exec) Insecure deserialization in the job results processing component in Amazon Braket SDK before 1.117.0 might allow a remote authenticated user with S3 write access to the job output bucket to achieve arbitrary code execution on any machine that processes job results. We recommend you upgrade to amazon-braket-sdk version 1.117.0 or later.
Amazon Braket Python Sdk
CVE-2026-9255 May 22, 2026
Kiro CLI <1.28.0: Missing input validation allows arbitrary tool exec via stdin Missing input source validation in the tool authorization prompt in Kiro CLI before 1.28.0 allows a local attacker to execute arbitrary tools, including shell commands, without user approval by crafting content that is piped to kiro-cli via stdin. We recommend you to upgrade to kiro-cli version 1.28.0 or later.
Kiro Cli
CVE-2026-9133 May 20, 2026
Amazon MQ rabbitmq-aws <0.2.1: Debug ARN allows remote file read Active debug code exists in the ARN resolver of amazon-mq rabbitmq-aws before version 0.2.1. A debug ARN scheme (arn:aws-debug:file) accepted by the PUT /api/aws/arn/validate validation endpoint might allow remote authenticated users to perform arbitrary file reads on any file accessible to the RabbitMQ process. To remediate this issue, customers should upgrade to version 0.2.1 of rabbitmq-aws. If RabbitMQ is configured to use TLS for connections, we also recommend rotating any associated private certificate keys.
Rabbitmq Aws
CVE-2026-8838 May 18, 2026
Amazon Redshift Python Driver eval() Vulnerability in vector_in() before 2.1.14 Unsafe use of Python's eval() on server-received data in the vector_in() function in amazon-redshift-python-driver before 2.1.14 allows a rogue server or man-in-the-middle actor to execute arbitrary code on the client. To remediate this issue, users should upgrade to version 2.1.14.
Amazon Redshift Connector Python
CVE-2026-7461 Apr 30, 2026
Amazon ECS Agent FSx WinFS OS Command Injection <v1.103.0 Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a specially crafted username field in an ECS task definition. This issue requires permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration. To remediate this issue, users should upgrade to version 1.103.0.
Amazon Ecs Agent
CVE-2026-7426 Apr 29, 2026
FreeRTOS-Plus-TCP <4.2.6, <4.4.1 IPv6 RA Prefix Length Overflow Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause memory corruption by sending a crafted Router Advertisement with a prefix length value exceeding the maximum valid length, resulting in a heap buffer overflow. Users processing IPv4 RA only are not impacted. To mitigate this issue, users should upgrade to the fixed version when available.
CVE-2026-7425 Apr 29, 2026
FreeRTOS-Plus-TCP <= V4.4.1: IPv6 RA Prefix truncation DoS Insufficient option length validation in the IPv6 Router Advertisement parser in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to cause a denial of service (device crash) by sending a crafted Router Advertisement with a truncated PREFIX_INFORMATION option that is smaller than the expected structure size. To mitigate this issue, users should upgrade to the fixed version when available.
CVE-2026-7424 Apr 29, 2026
FreeRTOS-Plus-TCP DHCPv6 Integer Underflow (V4.4.1/4.2.6) Integer underflow in the DHCPv6 sub-option parser in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network actor to corrupt the device's IPv6 address assignment, DNS configuration, and lease times, and to cause a denial of service (permanent IP task freeze requiring hardware reset) by sending a single crafted DHCPv6 packet. The issue is present whenever DHCPv6 is enabled. To mitigate this issue, users should upgrade to version V4.2.6 or V4.4.1 or newer.
CVE-2026-7423 Apr 29, 2026
Integer Underflow in FreeRTOS-Plus-TCP ICMP Handlers V4.4.1/V4.2.6 Integer underflow in the ICMP and ICMPv6 echo reply handlers in FreeRTOS-Plus-TCP before V4.4.1 and V4.2.6 allows an adjacent network user to cause a denial of service (device crash) when outgoing ping support is enabled, because header sizes are subtracted from a packet length field without validating the field is large enough, resulting in a heap out-of-bounds read of up to approximately 65KB. To mitigate this issue, users should upgrade to the fixed version when available.
CVE-2026-7422 Apr 29, 2026
FreeRTOS-Plus-TCP MAC Spoof Loophole before v4.4.1 Insufficient packet validation in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor to bypass all checksum and minimum-size validation by spoofing the Ethernet source MAC address to match one of the device's own registered endpoints, because the loopback detection mechanism skips all input validation for packets whose source MAC matches a local endpoint. To mitigate this issue, users should upgrade to the fixed version when available.
CVE-2026-7191 Apr 27, 2026
qnabot-on-aws <7.3 CExec via static-eval Exploit (CVE-2026-7191) Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context by injecting a crafted conditional chaining expression via the Content Designer interface, which bypasses the intended expression sandbox through JavaScript prototype manipulation. This may grant direct access to backend resources (Lambda environment variables, OpenSearch indices, S3 objects, DynamoDB tables) that are not exposed through normal administrative interfaces. We recommend you upgrade to version 7.3.0 or above.
Qnabot On Aws
CVE-2026-6912 Apr 24, 2026
AWS Ops Wheel Cognito User Pool Attribute Escalation via UpdateUserAttributes Improperly controlled modification of dynamically-determined object attributes in the Cognito User Pool configuration in AWS Ops Wheel before PR #165 allows remote authenticated users to escalate to deployment admin privileges and manage Cognito user accounts via a crafted UpdateUserAttributes API call that sets the custom:deployment_admin attribute. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.
Aws Ops Wheel
CVE-2026-6911 Apr 24, 2026
AWS Ops Wheel JWT Signature Bypass (CVE-2026-6911) Missing JWT signature verification in AWS Ops Wheel allows unauthenticated attackers to forge JWT tokens and gain unintended administrative access to the application, including the ability to read, modify, and delete all application data across tenants and manage Cognito user accounts within the deployment's User Pool, via a crafted JWT sent to the API Gateway endpoint. To remediate this issue, users should redeploy from the updated repository and ensure any forked or derivative code is patched to incorporate the new fixes.
Aws Ops Wheel
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.