How is CVE-2026-12530 exploited?

Network reachability (required): The attacker must reach the service over the network; the CVSS vector specifies AV:N, meaning remote access to an exposed endpoint is necessary. Authentication (required): A low-privilege account is sufficient; the vector specifies PR:L, so the attacker must be authenticated but does not need administrative credentials. Victim interaction (required): A user must take an action that triggers the vulnerable install_packages() call, such as initiating a package installation with attacker-influenced input; the vector specifies UI:A. Attack complexity (info): Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environmental configuration to succeed.

What is the impact of CVE-2026-12530?

Reads data accessible within the Code Interpreter sandbox, including files, environment variables, and any credentials or secrets mounted into that environment. Writes or modifies files and data within the sandbox, allowing persistent changes to the execution environment or staged artifacts. The host service and its availability are unaffected; the CVSS vector specifies VA:N and SA:N, so denial of service is not a direct outcome of this vulnerability.

Back to search

HIGHCVE-2026-12530Published 2026-06-17Modified 2026-06-17CNA AMZN

CVE-2026-12530: Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages()

Q: What is CVE-2026-12530?

An argument-delimiter injection vulnerability in the install_packages() method of the AWS Bedrock AgentCore Python SDK (versions 1.1.3 through 1.6.0) allows a remote attacker with a low-privilege account to execute arbitrary commands inside the Code Interpreter sandbox by passing crafted package name strings. The attacker must reach the service over the network and trick a user into triggering the vulnerable call. Successful exploitation gives the attacker full read and write access to data within the sandbox environment. A patched-image rebuild at version 1.6.1 is available on HarborGuard for environments running an affected version of this SDK.

Q: How is CVE-2026-12530 fixed?

A patched-image rebuild at bedrock-agentcore version 1.6.1 is available on HarborGuard for any environment found to be running an affected release. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Improper neutralization of argument delimiters in the install_packages() method in AWS Bedrock AgentCore Python SDK versions >= 1.1.3 and < 1.6.1 might allow a remote authenticated user to execute arbitrary commands within the Code Interpreter sandbox via crafted package name arguments. To mitigate this issue, users should upgrade to version 1.6.1.

CVSS v4.0: 8.4
Severity: HIGH
Fixed in: 1.6.1
Affected Products: 1

HarborGuard Analysis

Synopsis

An argument-delimiter injection vulnerability in the install_packages() method of the AWS Bedrock AgentCore Python SDK (versions 1.1.3 through 1.6.0) allows a remote attacker with a low-privilege account to execute arbitrary commands inside the Code Interpreter sandbox by passing crafted package name strings. The attacker must reach the service over the network and trick a user into triggering the vulnerable call. Successful exploitation gives the attacker full read and write access to data within the sandbox environment. A patched-image rebuild at version 1.6.1 is available on HarborGuard for environments running an affected version of this SDK.

HarborGuard Coverage

Detection

Detection of CVE-2026-12530 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the bedrock-agentcore SDK.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 8.4 (High) and weighting it against each environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at bedrock-agentcore version 1.6.1 is available on HarborGuard for any environment found to be running an affected release. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the service over the network; the CVSS vector specifies AV:N, meaning remote access to an exposed endpoint is necessary.
AuthenticationRequired
A low-privilege account is sufficient; the vector specifies PR:L, so the attacker must be authenticated but does not need administrative credentials.
Victim interactionRequired
A user must take an action that triggers the vulnerable install_packages() call, such as initiating a package installation with attacker-influenced input; the vector specifies UI:A.
Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environmental configuration to succeed.

Blast Radius

Reads data accessible within the Code Interpreter sandbox, including files, environment variables, and any credentials or secrets mounted into that environment.
Writes or modifies files and data within the sandbox, allowing persistent changes to the execution environment or staged artifacts.
The host service and its availability are unaffected; the CVSS vector specifies VA:N and SA:N, so denial of service is not a direct outcome of this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-12530 activates as soon as the advisory is ingested, matching any image that packages bedrock-agentcore versions 1.1.3 through 1.6.0. For environments where a match is found, a rebuilt image at version 1.6.1 is made available. Where compliance policy permits auto-remediation, HarborGuard performs the rebuild, runs a regression test suite against the new image, and opens a pull request targeting affected workloads; for High-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the triage finding is surfaced with the CVSS 8.4 score and routed to the configured owner inbox so teams can act manually. In the interim, consider restricting which users or roles can invoke install_packages() and validating package name inputs at the application layer before passing them to the SDK.

See how HarborGuard automates this

Fix available

1.6.1

Affected packages

AWS / bedrock-agentcore
< 1.6.1 (from 1.1.3)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available