Description
Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of another user in the same AWS account, via a crafted collaborationInstruction stored on a Bedrock Agent collaborator and later processed by that other user during agent import.



To remediate this issue, users should upgrade to version 0.14.2.
Published: 2026-06-08
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of triple‑quote characters during Python code generation in AgentCore CLI before version 0.14.2 allows an authenticated remote threat actor to execute arbitrary code on the AWS AgentCore Runtime within the imported agent's IAM execution role and also on the local environment of another user in the same AWS account. The vulnerability is triggered when a crafted collaborationInstruction is stored on a Bedrock Agent collaborator and later processed by that other user during agent import, leading to full control over the runtime and local system.

Affected Systems

AWS provides a product named AgentCore CLI. Versions prior to 0.14.2 are affected. The vulnerability applies to all deployments of this CLI component using the Bedrock Agent collaboration feature.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the lack of an EPSS score means current exploitation probability is unknown but not negligible. The vulnerability is not listed in CISA's KEV catalog, yet the attack vector requires authentication and the presence of a malicious collaborationInstruction, which could be supplied by an insider or compromised user. If exploited, the attacker could compromise the agent's IAM role permissions and gain persistent access to the underlying host system.

Generated by OpenCVE AI on June 8, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AgentCore CLI to version 0.14.2 or later.
  • Restrict use of the Bedrock Agent collaborationInstruction feature to trusted users and roles.
  • Audit all existing collaborationInstructions for malicious triple‑quote patterns and remove or sanitize them.

Generated by OpenCVE AI on June 8, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of another user in the same AWS account, via a crafted collaborationInstruction stored on a Bedrock Agent collaborator and later processed by that other user during agent import. To remediate this issue, users should upgrade to version 0.14.2.
Title Code injection via improper triple-quote escaping in AgentCore CLI Bedrock Agent import
First Time appeared Aws
Aws agentcore Cli
Weaknesses CWE-94
CPEs cpe:2.3:a:aws:agentcore_cli:*:*:*:*:*:*:*:*
Vendors & Products Aws
Aws agentcore Cli
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Aws Agentcore Cli
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-06-08T19:45:58.413Z

Reserved: 2026-06-05T16:15:22.377Z

Link: CVE-2026-11393

cve-icon Vulnrichment

Updated: 2026-06-08T19:45:54.794Z

cve-icon NVD

Status : Received

Published: 2026-06-08T19:16:41.270

Modified: 2026-06-08T19:16:41.270

Link: CVE-2026-11393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-08T20:30:06Z

Weaknesses