ZeroPath at Black Hat USA 2026

AWS AgentCore CLI CVE-2026-11393: Brief Summary of a Critical Code Injection via Triple-Quote Escaping

A brief summary of CVE-2026-11393, a CVSS 9.0 code injection vulnerability in the AWS AgentCore CLI where improper triple-quote escaping during Python code generation allows authenticated attackers to execute arbitrary code both locally and on AWS AgentCore Runtime.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-08

AWS AgentCore CLI CVE-2026-11393: Brief Summary of a Critical Code Injection via Triple-Quote Escaping
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A code injection flaw in the AWS AgentCore CLI allows an authenticated user within the same AWS account to plant arbitrary Python code that executes under another user's context, both on their local development machine and on AWS AgentCore Runtime with the imported agent's IAM role credentials. The vulnerability, tracked as CVE-2026-11393 with a CVSS score of 9.0, stems from a failure to properly escape triple-quote characters when the CLI generates Python source files during Bedrock Agent import.

Amazon Bedrock AgentCore is AWS's managed platform for building, deploying, and operating AI agents at scale. Launched broadly in 2026 (including AWS GovCloud availability as of May 5, 2026), it provides infrastructure lifecycle management for agentic AI workloads. The AgentCore CLI (@aws/agentcore), distributed via npm with 48 published versions and hosted in the aws/agentcore-cli GitHub repository (164 stars, 46 forks), is the primary developer interface for this platform.

Technical Information

Vulnerability Classification and Root Cause

CVE-2026-11393 falls under CWE-94: Improper Control of Generation of Code ('Code Injection'). Per MITRE's definition, this weakness arises when software constructs code segments dynamically from external input without sufficiently neutralizing elements that could modify the intended control flow. The key requirement is that "the attacker can control the structure of the generated code."

When a developer runs agentcore add agent --type import to import a Bedrock supervisor agent, the CLI generates a main.py Python source file. During this code generation step, the collaborationInstruction field from a Bedrock Agent collaborator association is interpolated directly into a triple-quoted Python docstring (delimited by """).

The critical flaw: the CLI applied single-quote escaping to the interpolated value rather than triple-quote escaping. In Python, a triple-quoted string is terminated only by a matching """ sequence. Escaping individual double quotes (as \") does not prevent a """ sequence from closing the docstring. An attacker who controls the collaborationInstruction value can inject a literal """ to break out of the docstring boundary, causing any subsequent content to be interpreted as executable Python statements rather than string data.

Attack Flow

The exploitation chain requires three preconditions and proceeds through a clear sequence:

Preconditions:

  1. The threat actor must be an authenticated user within the same AWS account as the victim.
  2. The attacker needs the bedrock:AssociateAgentCollaborator IAM permission, which allows setting or modifying the collaborationInstruction value on a Bedrock Agent collaborator association.
  3. The victim must subsequently run agentcore add agent --type import using an affected CLI version.

Exploitation sequence:

  1. The attacker crafts a collaborationInstruction containing """ followed by arbitrary Python code (for example, importing os and executing system commands).
  2. This crafted instruction is stored on a Bedrock Agent collaborator association via the bedrock:AssociateAgentCollaborator API.
  3. When another user in the same AWS account imports the affected agent, the CLI reads the collaborationInstruction and interpolates it into the generated main.py docstring.
  4. Because the CLI only applies single-quote escaping, the """ in the attacker's payload terminates the docstring. The Python code following the """ is now outside the string literal and becomes executable code in the generated file.
  5. The poisoned main.py executes in one of two contexts depending on how the victim uses it.

Dual Execution Context

The injected code runs in two distinct environments, each with different security implications:

Execution ContextTrigger CommandCredential ScopeImpact
Local developer machineagentcore devDeveloper's local credentials and environmentLocal code execution, potential access to developer secrets, SSH keys, local files
AWS AgentCore Runtimeagentcore deploy then agentcore invokeImported agent's IAM execution roleCloud code execution under the agent's IAM role, potential access to AWS resources per role permissions

This dual context is what distinguishes CVE-2026-11393 from the other AgentCore security findings documented by Unit 42 and Sonrai Security, which are cloud-only. The local execution path means that a developer's workstation, with all its stored credentials, source code, and network access, is directly in scope.

Compounding Risk: IAM Privilege Escalation

The severity of the cloud execution path is amplified by findings from Unit 42 ("Agent God Mode") and Sonrai Security. Unit 42 documented that AgentCore's auto-generated IAM execution roles grant wildcard resource access, meaning injected code running under such a role could access resources far beyond what the agent legitimately needs. AWS has since updated documentation to warn that these auto-generated roles are "designed for development and testing purposes" and should "never be used in a production system," but organizations that have not implemented custom least-privilege roles remain exposed to the full blast radius of any code injection.

Affected Systems and Versions

The vulnerability affects the following version ranges of the @aws/agentcore npm package:

TrackAffected RangePatched Version
GA (General Availability)0.4.0 through 0.14.1 (inclusive)0.14.2
Preview0.3.0-preview.7.0 through 1.0.0-preview.8 (inclusive)1.0.0-preview.9

The CLI requires Node.js 20.x or later and is written primarily in TypeScript. Any environment where the CLI was used to import a Bedrock supervisor agent (agentcore add agent --type import) on an affected version may contain a poisoned main.py file, even after the CLI itself is upgraded. Organizations should inventory all installed @aws/agentcore versions across development teams and CI/CD pipelines.

The fix was implemented in pull request #1329 by @padmak30 and released on May 21, 2026, approximately 18 days before the NVD publication date of June 8, 2026, consistent with a coordinated disclosure process.

Vendor Security History

CVE-2026-11393 is not an isolated finding in the AgentCore ecosystem. Three independent research efforts have identified security weaknesses in the platform within a relatively short timeframe:

FindingResearcherTypeRemediation
"Agent God Mode": over-permissive default IAM rolesUnit 42 (Palo Alto Networks)IAM privilege escalationAWS updated documentation with security warnings; custom IAM roles required
Code Interpreter privilege escalationSonrai SecurityIAM privilege escalation via Custom Code InterpreterSCP-based restrictions recommended
CVE-2026-11393: triple-quote code injectionAWS Security Team / @padmak30Code injection (CWE-94)Patched in v0.14.2 / v1.0.0-preview.9

The Unit 42 "Agent God Mode" finding was responsibly disclosed to AWS on November 17, 2025. Their kill chain demonstrated pulling a target agent's Docker image from ECR, extracting its MemoryID from environment files, and dumping or poisoning its conversation history using the overly permissive default IAM roles. Sonrai Security separately found that the Code Interpreter environment ships with the AWS CLI installed, enabling callers to execute any control plane action the execution role permits, and that "Sandbox" mode does not fully isolate S3 operations.

This pattern reflects the common security maturation challenges of rapid-release developer tooling: insufficient input sanitization in code generation paths and permissive defaults that prioritize developer experience over security. AWS's response has been timely in each case, but the recurring nature of these findings suggests that organizations deploying AgentCore should assume additional vulnerabilities may emerge and invest in defense-in-depth measures rather than relying solely on point patches.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization