Amazon ECS Agent FSx WinFS OS Command Injection <v1.103.0
CVE-2026-7461 Published on April 30, 2026
OS Command Injection in Amazon ECS Agent via FSx Windows File Server Volume Credentials
Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a specially crafted username field in an ECS task definition. This issue requires permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration.
To remediate this issue, users should upgrade to version 1.103.0.
Vulnerability Analysis
CVE-2026-7461 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2026-7461 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2026-7461
stack.watch emails you whenever new vulnerabilities are published in Aws Amazon Ecs Agent or Amazon Aws. Just hit a watch button to start following.
Affected Versions
AWS Amazon ECS Agent:- Version 1.47.0, <= 1.102.0 is affected.