CVE-2026-7461
Improper OS Command Injection in Amazon ECS Agent for Windows
Publication date: 2026-04-30
Last updated on: 2026-05-05
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| amazon | amazon_ecs_container_agent | From 1.47.0 (inc) to 1.103.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-7461 is an OS command injection vulnerability in the Amazon ECS Agent on Windows versions before 1.103.0. It occurs in the FSx Windows File Server volume mounting component when a specially crafted username field is used in an ECS task definition. This flaw allows a remote authenticated attacker, who has permissions to register ECS task definitions or write to Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration, to execute shell commands with SYSTEM privileges on the underlying host.
How can this vulnerability impact me? :
This vulnerability can allow a remote authenticated threat actor to execute arbitrary shell commands with SYSTEM-level privileges on the underlying host machine. This means the attacker could potentially take full control of the affected Windows EC2 instance running the Amazon ECS Agent, leading to unauthorized access, data compromise, or disruption of services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users should upgrade the Amazon ECS Agent to version 1.103.0 or later.
As a workaround for those unable to update immediately, restrict the ecs:RegisterTaskDefinition permission to trusted IAM principals only.
Additionally, limit write access to Secrets Manager secrets or SSM Parameter Store credentials referenced in FSx volume configurations.
Users are also advised to upgrade to the latest Amazon ECS-optimized Windows AMI.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper neutralization of inputs in the FSx Windows File Server volume mounting component of the Amazon ECS Agent on Windows, allowing remote authenticated attackers to execute commands with SYSTEM privileges via specially crafted usernames in ECS task definitions.
Detection would involve identifying ECS task definitions that contain suspicious or specially crafted username fields used in FSx volume configurations, as well as monitoring for unauthorized ecs:RegisterTaskDefinition API calls or write access to Secrets Manager or SSM Parameter Store credentials related to FSx volumes.
However, no specific detection commands or signatures are provided in the available resources.