al-ice.ai

AWS — CVE-2026-11393 AgentCore CLI Triple-Quote Code Injection

AI CVEs by al-ice.ai Editorial

AI relevance: AWS AgentCore CLI is the primary developer tooling for deploying and managing AI agents on Amazon Bedrock — a code injection in the CLI's agent-import flow means any team building or deploying Bedrock agents could silently execute attacker-crafted Python when scaffolding projects.

Key Details

  • Tracked as CVE-2026-11393 (CVSS 9); disclosed by AWS on June 8, 2026.
  • Mechanism: The agentcore add agent --type import command interpolates the collaborationInstruction field from a Bedrock Agent collaborator association into a triple-quoted Python docstring in the generated main.py. The CLI used single-quote escaping instead of triple-quote escaping, so a user with bedrock:AssociateAgentCollaborator IAM permission could embed """ to break out of the docstring and inject arbitrary Python.
  • Execution trigger: The injected code runs when the generated file is executed via agentcore dev locally, or via agentcore deploy followed by agentcore invoke in the AgentCore Runtime environment.
  • Impact: Arbitrary Python executes with the credentials available in the execution context — meaning cloud credentials, IAM roles, and any secrets the agent has access to.
  • Affected versions: @aws/agentcore ≥ 0.4.0 and < 0.14.2, plus 1.0.0-preview.7.0 to < 1.0.0-preview.9.
  • Fix: Upgrade to @aws/agentcore v0.14.2 or 1.0.0-preview.9+, remove the affected agent, re-import with the patched CLI, and redeploy.
  • Workaround: manually inspect generated main.py for """ sequences in collaborator instruction values and escape them before deployment.

Why It Matters

This is a supply-chain-style attack inside the agent development lifecycle itself. The CLI — a trusted build tool — generates code from data supplied by another team member within the same AWS account, without proper sanitization. Any organization using Bedrock AgentCore for multi-agent collaboration should assume that previously-imported agents may contain injected payloads. The attack requires only the bedrock:AssociateAgentCollaborator permission, which is commonly granted to developers building agentic workflows.

What to Do

  • Upgrade @aws/agentcore to ≥ 0.14.2 or ≥ 1.0.0-preview.9 immediately.
  • For each previously imported agent: remove, re-import with the patched CLI, and redeploy.
  • Rotate any credentials that were available in contexts where affected main.py files were executed.
  • Review IAM policies for bedrock:AssociateAgentCollaborator — restrict to only those who genuinely need it.
  • As a general rule: treat agent-sourced metadata (collaborator instructions, tool configs, MCP server descriptions) as untrusted input that needs sanitization before code generation.

Sources: