AWS Bedrock AgentCore SDK 1.1.3-1.6.1 Remote Cmd via install_packages
CVE-2026-12530 Published on June 17, 2026
Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages()
Improper neutralization of argument delimiters in the install_packages() method in AWS Bedrock AgentCore Python SDK versions >= 1.1.3 and < 1.6.1 might allow a remote authenticated user to execute arbitrary commands within the Code Interpreter sandbox via crafted package name arguments.
To mitigate this issue, users should upgrade to version 1.6.1.
Vulnerability Analysis
CVE-2026-12530 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is an Argument Injection Vulnerability?
The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
CVE-2026-12530 has been classified to as an Argument Injection vulnerability or weakness.
Products Associated with CVE-2026-12530
stack.watch emails you whenever new vulnerabilities are published in Aws Bedrock Agentcore or Amazon Aws. Just hit a watch button to start following.
Affected Versions
AWS bedrock-agentcore:- Version 1.1.3 and below 1.6.1 is affected.