Introduction
A code injection flaw in the AWS AgentCore CLI allows an authenticated user within the same AWS account to plant arbitrary Python code that executes under another user's context, both on their local development machine and on AWS AgentCore Runtime with the imported agent's IAM role credentials. The vulnerability, tracked as CVE-2026-11393 with a CVSS score of 9.0, stems from a failure to properly escape triple-quote characters when the CLI generates Python source files during Bedrock Agent import.
Amazon Bedrock AgentCore is AWS's managed platform for building, deploying, and operating AI agents at scale. Launched broadly in 2026 (including AWS GovCloud availability as of May 5, 2026), it provides infrastructure lifecycle management for agentic AI workloads. The AgentCore CLI (@aws/agentcore), distributed via npm with 48 published versions and hosted in the aws/agentcore-cli GitHub repository (164 stars, 46 forks), is the primary developer interface for this platform.
Technical Information
Vulnerability Classification and Root Cause
CVE-2026-11393 falls under CWE-94: Improper Control of Generation of Code ('Code Injection'). Per MITRE's definition, this weakness arises when software constructs code segments dynamically from external input without sufficiently neutralizing elements that could modify the intended control flow. The key requirement is that "the attacker can control the structure of the generated code."
When a developer runs agentcore add agent --type import to import a Bedrock supervisor agent, the CLI generates a main.py Python source file. During this code generation step, the collaborationInstruction field from a Bedrock Agent collaborator association is interpolated directly into a triple-quoted Python docstring (delimited by """).
The critical flaw: the CLI applied single-quote escaping to the interpolated value rather than triple-quote escaping. In Python, a triple-quoted string is terminated only by a matching """ sequence. Escaping individual double quotes (as \") does not prevent a """ sequence from closing the docstring. An attacker who controls the collaborationInstruction value can inject a literal """ to break out of the docstring boundary, causing any subsequent content to be interpreted as executable Python statements rather than string data.
Attack Flow
The exploitation chain requires three preconditions and proceeds through a clear sequence:
Preconditions:
- The threat actor must be an authenticated user within the same AWS account as the victim.
- The attacker needs the
bedrock:AssociateAgentCollaboratorIAM permission, which allows setting or modifying thecollaborationInstructionvalue on a Bedrock Agent collaborator association. - The victim must subsequently run
agentcore add agent --type importusing an affected CLI version.
Exploitation sequence:
- The attacker crafts a
collaborationInstructioncontaining"""followed by arbitrary Python code (for example, importingosand executing system commands). - This crafted instruction is stored on a Bedrock Agent collaborator association via the
bedrock:AssociateAgentCollaboratorAPI. - When another user in the same AWS account imports the affected agent, the CLI reads the
collaborationInstructionand interpolates it into the generatedmain.pydocstring. - Because the CLI only applies single-quote escaping, the
"""in the attacker's payload terminates the docstring. The Python code following the"""is now outside the string literal and becomes executable code in the generated file. - The poisoned
main.pyexecutes in one of two contexts depending on how the victim uses it.
Dual Execution Context
The injected code runs in two distinct environments, each with different security implications:
| Execution Context | Trigger Command | Credential Scope | Impact |
|---|---|---|---|
| Local developer machine | agentcore dev | Developer's local credentials and environment | Local code execution, potential access to developer secrets, SSH keys, local files |
| AWS AgentCore Runtime | agentcore deploy then agentcore invoke | Imported agent's IAM execution role | Cloud code execution under the agent's IAM role, potential access to AWS resources per role permissions |
This dual context is what distinguishes CVE-2026-11393 from the other AgentCore security findings documented by Unit 42 and Sonrai Security, which are cloud-only. The local execution path means that a developer's workstation, with all its stored credentials, source code, and network access, is directly in scope.
Compounding Risk: IAM Privilege Escalation
The severity of the cloud execution path is amplified by findings from Unit 42 ("Agent God Mode") and Sonrai Security. Unit 42 documented that AgentCore's auto-generated IAM execution roles grant wildcard resource access, meaning injected code running under such a role could access resources far beyond what the agent legitimately needs. AWS has since updated documentation to warn that these auto-generated roles are "designed for development and testing purposes" and should "never be used in a production system," but organizations that have not implemented custom least-privilege roles remain exposed to the full blast radius of any code injection.
Affected Systems and Versions
The vulnerability affects the following version ranges of the @aws/agentcore npm package:
| Track | Affected Range | Patched Version |
|---|---|---|
| GA (General Availability) | 0.4.0 through 0.14.1 (inclusive) | 0.14.2 |
| Preview | 0.3.0-preview.7.0 through 1.0.0-preview.8 (inclusive) | 1.0.0-preview.9 |
The CLI requires Node.js 20.x or later and is written primarily in TypeScript. Any environment where the CLI was used to import a Bedrock supervisor agent (agentcore add agent --type import) on an affected version may contain a poisoned main.py file, even after the CLI itself is upgraded. Organizations should inventory all installed @aws/agentcore versions across development teams and CI/CD pipelines.
The fix was implemented in pull request #1329 by @padmak30 and released on May 21, 2026, approximately 18 days before the NVD publication date of June 8, 2026, consistent with a coordinated disclosure process.
Vendor Security History
CVE-2026-11393 is not an isolated finding in the AgentCore ecosystem. Three independent research efforts have identified security weaknesses in the platform within a relatively short timeframe:
| Finding | Researcher | Type | Remediation |
|---|---|---|---|
| "Agent God Mode": over-permissive default IAM roles | Unit 42 (Palo Alto Networks) | IAM privilege escalation | AWS updated documentation with security warnings; custom IAM roles required |
| Code Interpreter privilege escalation | Sonrai Security | IAM privilege escalation via Custom Code Interpreter | SCP-based restrictions recommended |
| CVE-2026-11393: triple-quote code injection | AWS Security Team / @padmak30 | Code injection (CWE-94) | Patched in v0.14.2 / v1.0.0-preview.9 |
The Unit 42 "Agent God Mode" finding was responsibly disclosed to AWS on November 17, 2025. Their kill chain demonstrated pulling a target agent's Docker image from ECR, extracting its MemoryID from environment files, and dumping or poisoning its conversation history using the overly permissive default IAM roles. Sonrai Security separately found that the Code Interpreter environment ships with the AWS CLI installed, enabling callers to execute any control plane action the execution role permits, and that "Sandbox" mode does not fully isolate S3 operations.
This pattern reflects the common security maturation challenges of rapid-release developer tooling: insufficient input sanitization in code generation paths and permissive defaults that prioritize developer experience over security. AWS's response has been timely in each case, but the recurring nature of these findings suggests that organizations deploying AgentCore should assume additional vulnerabilities may emerge and invest in defense-in-depth measures rather than relying solely on point patches.
References
- AWS Security Bulletin 2026-040: CVE-2026-11393
- GitHub Advisory GHSA-m4x6-gwgp-4pm7
- AgentCore CLI v0.14.2 Release Notes
- @aws/agentcore v0.14.2 on npm
- @aws/agentcore v1.0.0-preview.9 on npm
- Amazon Bedrock AgentCore Product Page
- aws/agentcore-cli GitHub Repository
- CWE-94: Improper Control of Generation of Code ('Code Injection')
- Unit 42: Cracks in the Bedrock: Agent God Mode
- Sonrai Security: AWS AgentCore Privilege Escalation Path
- AWS Vulnerability Reporting



