Description
Improper neutralization of argument delimiters in the install_packages() method in AWS Bedrock AgentCore Python SDK versions >= 1.1.3 and < 1.6.1 might allow a remote authenticated user to execute arbitrary commands within the Code Interpreter sandbox via crafted package name arguments.



To mitigate this issue, users should upgrade to version 1.6.1.
Published: 2026-06-17
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves an improper neutralization of argument delimiters in the install_packages() method of the AWS Bedrock AgentCore Python SDK. A remote authenticated attacker can supply a crafted package name that causes arbitrary commands to be executed inside the Code Interpreter sandbox. This flaw corresponds to CWE-88 and enables the attacker to compromise the integrity of the sandbox environment, potentially leading to the execution of malicious code.

Affected Systems

The issue affects AWS Bedrock AgentCore Python SDK versions 1.1.3 up to but not including 1.6.1. Organizations that invoke the install_packages() function within these releases are vulnerable. The affected product is the Bedrock AgentCore SDK supplied by Amazon Web Services.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity. The EPSS score of less than 1% shows that exploitation is unlikely on a widespread basis yet possible. Based on the description, the likely attack vector is limited to authenticated users with valid AWS credentials and a code‑execution context. The vulnerability is not listed in CISA’s KEV catalog, so no off‑the‑shelf exploits are publicly known. Nonetheless, the insecure handling of delimiters presents a significant risk for any deployment that relies on install_packages for dependency installation.

Generated by OpenCVE AI on June 18, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AWS Bedrock AgentCore SDK to version 1.6.1 or later
  • Verify that all Python deployments pin the SDK to the patched release and re‑install dependencies after the upgrade
  • If an upgrade cannot be performed immediately, restrict or disable the install_packages call in code that processes user‑supplied arguments, and perform strict validation of package names before usage

Generated by OpenCVE AI on June 18, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description Improper neutralization of argument delimiters in the install_packages() method in AWS Bedrock AgentCore Python SDK versions >= 1.1.3 and < 1.6.1 might allow a remote authenticated user to execute arbitrary commands within the Code Interpreter sandbox via crafted package name arguments. To mitigate this issue, users should upgrade to version 1.6.1.
Title Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages()
First Time appeared Aws
Aws bedrock-agentcore
Weaknesses CWE-88
CPEs cpe:2.3:a:aws:bedrock-agentcore:*:*:*:*:*:*:*:*
Vendors & Products Aws
Aws bedrock-agentcore
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Aws Bedrock-agentcore
cve-icon MITRE

Status: PUBLISHED

Assigner: AMZN

Published:

Updated: 2026-06-18T12:52:49.533Z

Reserved: 2026-06-17T13:55:09.204Z

Link: CVE-2026-12530

cve-icon Vulnrichment

Updated: 2026-06-18T12:52:46.066Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:15:04Z

Weaknesses
  • CWE-88

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')