HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11393Published Modified CNA AMZN

CVE-2026-11393: Code injection via improper triple-quote escaping in AgentCore CLI Bedrock Agent import

Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of another user in the same AWS account, via a crafted collaborationInstruction stored on a Bedrock Agent collaborator and later processed by that other user during agent import. To remediate this issue, users should upgrade to version 0.14.2.

Metrics

CVSS v4.0
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Code injection via improper triple-quote escaping affects AgentCore CLI (versions up to 0.14.1 and up to 1.0.0-preview.8). An authenticated attacker who can craft a malicious collaborationInstruction on a Bedrock Agent collaborator can inject arbitrary Python code that executes when another user in the same AWS account imports that agent using the CLI, requiring both network access and victim interaction. Successful exploitation gives the attacker arbitrary code execution inside AWS AgentCore Runtime under the imported agent's IAM role, as well as on the local machine of the user who triggered the import. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is published upstream.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-11393 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle AgentCore CLI.

Available
Triage

HarborGuard scores this finding at CVSS 8.8 (HIGH) and can weight it further against each customer's per-environment compliance policies; findings are routed to the appropriate team inbox within each organization based on configured ownership rules.

Available
Patch

Because no fix version has been published upstream as of this writing, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix appears. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a pull request against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the target AWS account's Bedrock Agent service over the network to plant the malicious collaborationInstruction.

  • AuthenticationRequired

    Any low-privilege AWS account credential is sufficient; the attacker must be an authenticated user capable of writing a collaborationInstruction to a Bedrock Agent collaborator.

  • Victim interactionRequired

    A second user in the same AWS account must actively run an agent import operation using AgentCore CLI against the poisoned collaborator, making this a social-engineering or supply-chain vector.

  • Attack complexityDetail

    The CVSS vector notes an attack target prerequisite (AT:P), meaning certain environmental conditions around the shared AWS account and the import workflow must be in place, though the exploit itself is otherwise straightforward once those conditions exist.

Blast Radius

  • Executes arbitrary Python code inside AWS AgentCore Runtime under the imported agent's IAM execution role, granting the attacker whatever AWS permissions that role holds.
  • Executes arbitrary code on the local machine of the victim user who triggered the import operation.
  • Reads, modifies, or deletes AWS resources accessible to the agent's IAM role, depending on the role's attached policies.
  • Compromises downstream systems or data reachable from the victim's local environment at the time of import.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-11393, HarborGuard continuously re-checks the advisory on every ingest cycle and will surface a patched-image rebuild the moment version 0.14.2 or an equivalent fix ships from the CNA. In the interim, compensating controls worth evaluating include restricting which IAM principals can write collaborationInstructions to Bedrock Agent collaborators via IAM policy conditions, applying network-policy isolation to any environment where AgentCore CLI import operations run, and gating agent import workflows behind a review step so crafted instructions are inspected before processing. For customers with auto-remediation enabled, once an upstream fix is available, HarborGuard will rebuild affected images at the patched version, run regression tests, and open a pull request against affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled.

See how HarborGuard automates this
Affected packages
  • AWS / AgentCore CLI
    ≤ 0.14.1 · ≤ 1.0.0-preview.8
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
References