CVE-2026-7461
Analyzed Analyzed - Analysis Complete
Improper OS Command Injection in Amazon ECS Agent for Windows

Publication date: 2026-04-30

Last updated on: 2026-05-05

Assigner: AMZN

Description
Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a specially crafted username field in an ECS task definition. This issue requires permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration. To remediate this issue, users should upgrade to version 1.103.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-30
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7461
EUVD
EUVD-2026-26412
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
amazon amazon_ecs_container_agent From 1.47.0 (inc) to 1.103.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves improper neutralization of inputs in the FSx Windows File Server volume mounting component of the Amazon ECS Agent on Windows, allowing remote authenticated attackers to execute commands with SYSTEM privileges via specially crafted usernames in ECS task definitions.

Detection would involve identifying ECS task definitions that contain suspicious or specially crafted username fields used in FSx volume configurations, as well as monitoring for unauthorized ecs:RegisterTaskDefinition API calls or write access to Secrets Manager or SSM Parameter Store credentials related to FSx volumes.

However, no specific detection commands or signatures are provided in the available resources.

Executive Summary

CVE-2026-7461 is an OS command injection vulnerability in the Amazon ECS Agent on Windows versions before 1.103.0. It occurs in the FSx Windows File Server volume mounting component when a specially crafted username field is used in an ECS task definition. This flaw allows a remote authenticated attacker, who has permissions to register ECS task definitions or write to Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration, to execute shell commands with SYSTEM privileges on the underlying host.

Impact Analysis

This vulnerability can allow a remote authenticated threat actor to execute arbitrary shell commands with SYSTEM-level privileges on the underlying host machine. This means the attacker could potentially take full control of the affected Windows EC2 instance running the Amazon ECS Agent, leading to unauthorized access, data compromise, or disruption of services.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade the Amazon ECS Agent to version 1.103.0 or later.

As a workaround for those unable to update immediately, restrict the ecs:RegisterTaskDefinition permission to trusted IAM principals only.

Additionally, limit write access to Secrets Manager secrets or SSM Parameter Store credentials referenced in FSx volume configurations.

Users are also advised to upgrade to the latest Amazon ECS-optimized Windows AMI.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7461. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart