CVE-2026-11393
Received Received - Intake
Code Injection in AgentCore CLI

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: AMZN

Description
Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of another user in the same AWS account, via a crafted collaborationInstruction stored on a Bedrock Agent collaborator and later processed by that other user during agent import. To remediate this issue, users should upgrade to version 0.14.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-11393
EUVD
EUVD-2026-35187
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
agentcore agentcore 0.14.2
aws agentcore From 0.4.0 (exc) to 0.14.1 (inc)
aws agentcore From 0.3.0-preview.7.0 (inc) to 1.0.0-preview.8 (inc)
aws agentcore 0.4.0
aws agentcore 0.14.1
aws agentcore 0.14.2
aws agentcore 1.0.0-preview.8
aws agentcore 1.0.0-preview.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves improper neutralization of triple-quote characters during Python code generation in AgentCore CLI versions before 0.14.2.

An authenticated remote attacker can exploit this flaw by crafting a malicious collaborationInstruction stored on a Bedrock Agent collaborator.

When another user in the same AWS account imports this agent, the malicious code is processed and executed under the imported agent's IAM execution role and on the local environment of that user.

Impact Analysis

This vulnerability can allow an authenticated remote attacker to execute arbitrary code on the AWS AgentCore Runtime with the permissions of the imported agent's IAM execution role.

It can also lead to code execution on the local environment of another user within the same AWS account, potentially compromising sensitive data and system integrity.

The impact includes full confidentiality, integrity, and availability compromise as indicated by the high CVSS scores.

Compliance Impact

The vulnerability allows an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime and on the local environment of another user within the same AWS account. This code execution can occur under the imported agent's IAM execution role, potentially exposing sensitive data or allowing unauthorized actions.

Such unauthorized code execution and potential data exposure could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access. The ability for an attacker to execute arbitrary code with elevated permissions may lead to breaches of protected data or unauthorized system modifications, thereby violating these regulatory requirements.

To mitigate these risks and maintain compliance, users are advised to upgrade to the fixed version 0.14.2, regenerate and redeploy affected agents, and inspect generated code for malicious content if immediate upgrading is not possible.

Detection Guidance

To detect this vulnerability on your system, you should first check the version of the AWS AgentCore CLI installed. Versions between 0.4.0 and 0.14.1 (including preview versions 0.3.0-preview.7.0 to 1.0.0-preview.8) are vulnerable.

You can run the following command to check the installed version of the AgentCore CLI:

  • npm list -g @aws/agentcore

If you find a vulnerable version, inspect the generated main.py file of any imported Bedrock supervisor agents for suspicious triple-quote sequences ("""), especially in the collaborationInstruction field. Look for any unescaped triple-quote characters that could indicate attempted code injection.

A manual inspection command example (on Unix-like systems) to find triple-quote sequences in main.py files could be:

  • grep -n '\"\"\"' path/to/agent/main.py

If such sequences are found, it may indicate exploitation or attempted exploitation of the vulnerability.

To remediate, upgrade the CLI to version 0.14.2 or later, remove affected agents, regenerate main.py files with the patched CLI, and redeploy.

Mitigation Strategies

To remediate this vulnerability, users should upgrade to version 0.14.2 of AgentCore CLI.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11393. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart