CVE-2026-13769
Awaiting Analysis Awaiting Analysis - Queue

Overly Permissive File Permissions in AWS CLI

Vulnerability report for CVE-2026-13769, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: AMZN

Description

Overly permissive file permissions in AWS CLI before 1.44.78 (v1) and 2.34.29 (v2) on Unix-like systems where the umask has not been configured to restrict file permissions (the default on most systems) may allow other local users on the same host to read credentials written by certain CLI subcommands (aws codeartifact login, aws iam create-virtual-mfa-device, aws deploy register). To remediate this issue, users should upgrade to AWS CLI 1.44.78 (v1) or 2.34.29 (v2) or later.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
aws aws_cli to 1.44.78 (exc)
aws aws_cli to 2.34.29 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can allow other local users on the same Unix-like system to read AWS credential files created by certain AWS CLI subcommands.

If exploited, it could lead to unauthorized access to AWS resources because exposed credentials might be used to perform actions permitted by those credentials.

The impact is primarily on confidentiality, as the integrity and availability of the system or AWS resources are not affected.

Compliance Impact

This vulnerability allows other local users on the same host to read AWS credentials due to overly permissive file permissions on Unix-like systems. Exposure of sensitive credentials can lead to unauthorized access to AWS resources, which may result in violations of data protection and security requirements outlined in standards such as GDPR and HIPAA.

Specifically, unauthorized disclosure of credentials could compromise confidentiality of personal or sensitive data, potentially leading to non-compliance with regulations that mandate strict access controls and protection of sensitive information.

Remediation by upgrading to patched AWS CLI versions reduces the risk of credential exposure and helps maintain compliance with these standards.

Executive Summary

CVE-2026-13769 is a vulnerability in the AWS Command Line Interface (AWS CLI) on Unix-like systems where certain subcommands create credential and configuration files with overly permissive file permissions.

Because the default umask on most systems does not restrict file permissions, these files can be read by other local users on the same host, potentially exposing sensitive AWS credentials.

The affected AWS CLI versions are v1 versions up to 1.44.77 and v2 versions up to 2.34.28. The issue was fixed in v1.44.78 and v2.34.29.

Detection Guidance

This vulnerability involves overly permissive file permissions on credential and configuration files created by certain AWS CLI subcommands on Unix-like systems. Detection involves checking the file permissions of these credential files to see if they are readable by other local users.

You can use commands like 'ls -l' on the relevant AWS CLI credential files (e.g., ~/.aws/credentials or files created by aws codeartifact login, aws iam create-virtual-mfa-device, aws deploy register) to check if the permissions are too permissive (e.g., world-readable). For example:

  • ls -l ~/.aws/credentials
  • ls -l <path-to-credential-file-created-by-affected-subcommands>

If the permissions show that other users have read access (e.g., permissions like -rw-r--r--), this indicates the vulnerability may be present.

Mitigation Strategies

The primary mitigation step is to upgrade the AWS CLI to a fixed version where this vulnerability is resolved.

  • Upgrade AWS CLI v1 to version 1.44.78 or later.
  • Upgrade AWS CLI v2 to version 2.34.29 or later.

Additionally, ensure that the system's umask is configured to restrict file permissions appropriately to prevent credential files from being world-readable.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13769. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart