CVE-2026-11417
Awaiting Analysis Awaiting Analysis - Queue

OS Command Injection in AWS CDK Toolchain

Vulnerability report for CVE-2026-11417, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: AMZN

Description

OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 (2.246.0 on Windows) might allow an actor who controls the value of one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters. This issue requires the threat actor to control the value of one or more of the affected bundling properties in the CDK application. To remediate this issue, users should upgrade to aws-cdk-lib 2.245.0 (2.246.0 on Windows) or later.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-07
AI Q&A
2026-06-10
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
aws aws-cdk-lib to 2.245.0 (exc)
aws aws-cdk-lib 2.246.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows arbitrary command execution on the host running the CDK toolchain, which can lead to unauthorized access or modification of data. Such unauthorized access or data compromise could potentially impact compliance with standards and regulations like GDPR or HIPAA that require protection of sensitive data and secure system operations.

However, the provided information does not explicitly discuss the direct impact of this vulnerability on compliance with specific standards or regulations.

Executive Summary

CVE-2026-11417 is an OS command injection vulnerability in the NodejsFunction local bundling pipeline of the aws-cdk-lib before version 2.245.0 (2.246.0 on Windows). It occurs because certain bundling properties (externalModules, define, loader, inject, or esbuildArgs) are interpolated directly into a shell command without proper escaping or validation.

An attacker who controls the value of one or more of these properties can inject shell metacharacters to execute arbitrary commands on the host running the CDK toolchain. This requires the attacker to have control over these bundling property values, for example through an untrusted npm dependency or a malicious pull request.

The vulnerability has been fixed by replacing shell-based command execution with a safer array-based spawnSync invocation in aws-cdk-lib version 2.245.0 (2.246.0 on Windows).

Impact Analysis

This vulnerability allows an attacker to execute arbitrary OS commands on the host system running the AWS CDK toolchain with the privileges of the user running CDK commands such as cdk synth, cdk deploy, or cdk diff.

Successful exploitation can lead to compromise of confidentiality, integrity, and availability of the affected system, as arbitrary commands can be run locally.

The attack requires local access and control over certain bundling property values, but the impact is high due to the ability to execute arbitrary commands.

Detection Guidance

This vulnerability arises when an attacker controls one or more bundling properties (externalModules, define, loader, inject, or esbuildArgs) in the aws-cdk-lib NodejsFunction local bundling pipeline, allowing arbitrary command execution via shell metacharacters.

Detection involves auditing your CDK applications and build pipelines for usage of these bundling properties with untrusted or unexpected values. Specifically, review any third-party constructs, npm dependencies, or pull requests that set these properties.

There are no specific network detection commands provided in the resources. However, you can check the version of aws-cdk-lib installed to determine if it is vulnerable by running:

  • npm list aws-cdk-lib

Additionally, you can search your codebase for usage of the affected bundling properties to identify potential injection points:

  • grep -rE 'externalModules|define|loader|inject|esbuildArgs' ./

Monitoring for unexpected shell command executions or unusual behavior during CDK commands like cdk synth, cdk deploy, or cdk diff may also help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade aws-cdk-lib to version 2.245.0 (2.246.0 on Windows) or later, where the vulnerability has been patched.

As a workaround or additional precaution, ensure that values passed to the affected bundling properties (externalModules, define, loader, inject, or esbuildArgs) come only from trusted sources.

Audit any third-party constructs, npm dependencies, or pull requests that set these bundling properties to prevent injection of malicious shell metacharacters.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11417. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart