The Bedrock AgentCore Starter Toolkit fails to verify that objects stored in Amazon S3 belong to the correct owner before starting the build process. Because of this missing check, a remote actor can supply a malicious object, which the toolkit then executes during the build, leading to code execution inside the AgentCore Runtime. The weakness maps to CWE‑283 (Improper Access Control) and CWE‑340 (Cryptographic Logic Errors). S3 ownership verification is a critical security control, and its absence permits a remote adversary to execute arbitrary code, potentially compromising confidentiality, integrity, and availability of any application that relies on the toolkit.

Only deployments of Bedrock AgentCore Starter Toolkit earlier than version v0.1.13 that were built or rebuilt after September 24, 2025 are vulnerable. Users on v0.1.13 or later, or users who built the toolkit before the stated date, are not affected. The vulnerability is relevant to any AWS customer who uses the starter toolkit in a custom application with its own S3 bucket integrations.

The CVSS score of 5.8 denotes moderate severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a remote actor injecting a malicious S3 object that the toolkit accepts during a build, a scenario that requires access to the S3 bucket used by the build process. Because the vulnerability requires configuration of the build environment, exploitation is not trivial, but the potential for arbitrary code execution makes it a significant concern for affected users.