CVE-2026-7461
Published: 30 April 2026
Summary
CVE-2026-7461 is a high-severity OS Command Injection (CWE-78) vulnerability in Amazon Amazon Ecs Container Agent. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Windows Command Shell (T1059.003); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper neutralization of inputs in the username field by requiring validation mechanisms to prevent OS command injection in the FSx volume mounting component.
Mandates timely identification and remediation of the specific flaw in Amazon ECS Agent versions before 1.103.0 through patching or upgrades.
Enforces least privilege to restrict permissions for registering ECS task definitions or writing to Secrets Manager/SSM Parameter Store, limiting who can supply malicious inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) directly enables arbitrary Windows shell command execution as SYSTEM (T1059.003) and exploitation of the vulnerability for privilege escalation to SYSTEM (T1068).
NVD Description
Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM…
more
privileges on the underlying host via a specially crafted username field in an ECS task definition. This issue requires permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration. To remediate this issue, users should upgrade to version 1.103.0.
Deeper analysisAI
CVE-2026-7461 is an OS command injection vulnerability (CWE-78) in the FSx Windows File Server volume mounting component of the Amazon ECS Agent on Windows, affecting versions prior to 1.103.0. The flaw stems from improper neutralization of inputs used in an OS command, enabling injection via a specially crafted username field in an ECS task definition. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
A remote authenticated threat actor can exploit this vulnerability if they have permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration. Successful exploitation allows execution of arbitrary shell commands with SYSTEM privileges on the underlying host.
AWS security advisories and the ECS Agent release notes recommend upgrading to version 1.103.0 to remediate the issue. Relevant resources include the AWS security bulletin at https://aws.amazon.com/security/security-bulletins/2026-024-aws/, the GitHub release at https://github.com/aws/amazon-ecs-agent/releases/tag/v1.103.0, and the GitHub security advisory at https://github.com/aws/amazon-ecs-agent/security/advisories/GHSA-fc67-c4hg-q653.
Details
- CWE(s)