CVE-2026-11393: AgentCore CLI v<0.14.2 RCE via triplequote code gen
CVE-2026-11393 Published on June 8, 2026
Code injection via improper triple-quote escaping in AgentCore CLI Bedrock Agent import
Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of another user in the same AWS account, via a crafted collaborationInstruction stored on a Bedrock Agent collaborator and later processed by that other user during agent import.
To remediate this issue, users should upgrade to version 0.14.2.
Vulnerability Analysis
CVE-2026-11393 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2026-11393 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2026-11393
stack.watch emails you whenever new vulnerabilities are published in Amazon Aws or Aws Agentcore Cli. Just hit a watch button to start following.
Affected Versions
AWS AgentCore CLI:- Version 0.4.0, <= 0.14.1 is affected.
- Version 0.3.0-preview.7.0, <= 1.0.0-preview.8 is affected.