CVE Catalog

CVE-2026-12530

HighCVSS 7.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

22th percentile — higher than 22% of all known CVEs

Summary

The install_packages() method in AWS Bedrock AgentCore Python SDK versions >= 1.1.3 and < 1.6.1 has improper neutralization of argument delimiters, which may allow a remote authenticated user to execute arbitrary commands within the Code Interpreter sandbox via crafted package name arguments.

Risk Assessment

This vulnerability could lead to unauthorized code execution, posing a significant security risk to the organization's systems and data.

Recommendation

It is recommended to upgrade to version 1.6.1 to mitigate the risks associated with this vulnerability.

Original NVD description (English source)

Improper neutralization of argument delimiters in the install_packages() method in AWS Bedrock AgentCore Python SDK versions >= 1.1.3 and < 1.6.1 might allow a remote authenticated user to execute arbitrary commands within the Code Interpreter sandbox via crafted package name arguments. To mitigate this issue, users should upgrade to version 1.6.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS