AWS Security Bulletins
Amazon Web Services security advisories.
72 advisories tracked · showing 72
- Jul 6, 20262026-052-AWSCVE-2026-14471
CVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-registry
- Jul 1, 20262026-051-AWSCVE-2026-14265
CVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin
- Jul 1, 20262026-050-AWSCVE-2026-13760
CVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib
- Jul 1, 20262026-049-AWSCVE-2026-13769
CVE-2026-13769 – Insecure file permissions in AWS CLI
- Jun 29, 20262026-048-AWSCVE-2026-13762, CVE-2026-13763
CVE-2026-13762 and CVE-2026-13763 - Issue with HTTP/2 multi-frame request body inspection in AWS WAF
- Jun 23, 20262026-047-AWSCVE-2026-12957, CVE-2026-12958
CVE-2026-12957 and CVE-2026-12958 - Issues in Language Servers for AWS and Amazon Q Developer Plugins
- Jun 19, 20262026-046-AWSCVE-2026-50195, CVE-2026-53488 +3
Issue with containerd CRI Plugin - CVE-2026-50195, CVE-2026-53488, CVE-2026-53492, CVE-2026-53489, CVE-2026-47262
- Jun 17, 20262026-044-AWSCVE-2026-12530
CVE-2026-12530 - Improper neutralization of argument delimiters in AWS Bedrock AgentCore Python SDK install_packages()
- Jun 15, 20262026-045-AWSCVE-2026-11931
CVE-2026-11931 - Insecure Permissions on Authentication Token Cache File in Kiro IDE
- Jun 12, 20262026-043-AWSCVE-2026-12043
CVE-2026-12043 - Heap double-free in AWS Common Runtime aws-c-http
- Jun 10, 20262026-042-AWSCVE-2026-10740
CVE-2026-10740 - Excessive memory allocation in s2n-quic
- Jun 10, 20262026-041-AWSCVE-2026-11417, CVE-2026-10740
CVE-2026-10740 - Excessive memory allocation in s2n-quic
- Jun 8, 20262026-040-AWSCVE-2026-11393
CVE-2026-11393 - Code Injection via Improper Triple-Quote Escaping in AgentCore CLI Bedrock Agent Import
- Jun 5, 20262026-039-AWSCVE-2026-11400, CVE-2026-11401
CVE-2026-11400 and CVE-2026-11401
- Jun 2, 20262026-038-AWSCVE-2026-10584
CVE-2026-10584 - HTTPS Fallback to HTTP in Graph Explorer
- Jun 2, 20262026-037-AWSCVE-2026-10591
CVE-2026-10591 - Kiro IDE Insufficient File Write Restrictions to Execution-Sensitive Paths
- May 22, 20262026-036-AWSCVE-2026-9291
CVE-2026-9291 - Insecure Deserialization in Amazon Braket SDK Job Results Processing
- May 22, 20262026-035-AWSCVE-2026-9255
CVE-2026-9255 - Tool Execution Without Authorization via Piped Stdin in Kiro CLI
- May 20, 20262026-034-AWSCVE-2026-9133
CVE-2026-9133 - Arbitrary file read in rabbitmq-aws plugin
- May 18, 20262026-033-AWSCVE-2026-8838
CVE-2026-8838 - Remote Code Execution in amazon-redshift-python-driver
- May 15, 20262026-032-AWSCVE-2026-8686
CVE-2026-8686 - Heap out-of-bounds read in coreMQTT MQTT5 property parsing
- May 15, 20262026-031-AWSCVE-2026-8596, CVE-2026-8597
Issue with Amazon SageMaker Python SDK - Model artifact integrity verification issues (CVE-2026-8596 & CVE-2026-8597)
- May 14, 20262026-030-AWSDisclosed before NVD
Ongoing updates on Copy.fail and variants
- May 14, 20262026-029-AWSCVE-2026-46300, CVE-2026-43284
Fragnesia Local Privilege Escalation report via ESP-in-TCP in the Linux Kernel
- May 11, 20262026-027-AWSCVE-2026-31431
Dirty Frag and other issues in Amazon Linux kernels
- May 8, 20262026-028-AWSCVE-2026-8178
CVE-2026-8178 - Remote Code Execution via Unsafe Class Loading in Amazon Redshift JDBC Driver
- May 7, 20262026-026-AWSCVE-2026-31431
CVE-2026-31431
- May 4, 20262026-025-AWSCVE-2026-7791
CVE-2026-7791 - Local Privilege Escalation via TOCTOU Race Condition in Amazon WorkSpaces Skylight Agent
- May 1, 20262026-024-AWSCVE-2026-7461
CVE-2026-7461 - OS Command Injection in Amazon ECS Agent via FSx Windows File Server Volume Credentials
- Apr 29, 20262026-023-AWSCVE-2026-7425, CVE-2026-7426
Issue with FreeRTOS-Plus-TCP - IPv6 Router Advertisement Memory Safety Issues
- Apr 29, 20262026-022-AWSCVE-2026-7424
CVE-2026-7424 - Integer Underflow in DHCPv6 Sub-Option Parser in FreeRTOS-Plus-TCP
- Apr 29, 20262026-021-AWSCVE-2026-7422, CVE-2026-7423
Issue with FreeRTOS-Plus-TCP - MAC Address Validation Bypass and ICMP Echo Reply Integer Underflow
- Apr 27, 20262026-020-AWSCVE-2026-7191
CVE-2026-7191- Arbitrary Code Execution via Sandbox Bypass in QnABot on AWS
- Apr 24, 20262026-019-AWSCVE-2026-6967, CVE-2026-6968 +1
Issues in tough library and tuftool CLI utility
- Apr 24, 20262026-018-AWSCVE-2026-6911, CVE-2026-6912
Issue with AWS Ops Wheel (CVE-2026-6911 and CVE-2026-6912
- Apr 20, 20262026-017-AWSCVE-2026-6550
CVE-2026-6550 - Key commitment policy bypass via shared key cache in AWS Encryption SDK for Python
- Apr 17, 20262026-016-AWSCVE-2026-6437
CVE-2026-6437 - Mount Option Injection in Amazon EFS CSI Driver
- Apr 14, 20262026-015-AWSCVE-2026-5747
CVE-2026-5747 - Out-of-bounds Write in Firecracker virtio-pci Transport
- Apr 14, 20262026-014-AWSCVE-2026-5708, CVE-2026-5709 +1
Issues with AWS Research and Engineering Studio (RES)
- Apr 14, 20262026-013-AWSCVE-2026-5485, CVE-2026-35558 +4
Issues with Amazon Athena ODBC Driver
- Apr 14, 20262026-012-AWSCVE-2026-5429
CVE-2026-5429 - Kiro IDE Webview Cross-Site Scripting via Workspace Color Theme
- Apr 14, 20262026-011-AWSCVE-2026-5190
CVE-2026-5190 - AWS C Event Stream Streaming Decoder Stack Buffer Overflow
- Mar 19, 20262026-010-AWSCVE-2026-4428
CVE-2026-4428: Issues with AWS-LC - CRL Distribution Point Scope Check Logic Error
- Mar 17, 20262026-009-AWSCVE-2026-4295
Arbitrary code execution via crafted project files in Kiro IDE
- Mar 16, 20262026-008-AWSCVE-2026-4269
CVE-2026-4269 - Improper S3 ownership verification in Bedrock AgentCore Starter Toolkit
- Mar 16, 20262026-007-AWSCVE-2026-4270
CVE-2026-4270 - AWS API MCP File Access Restriction Bypass
- Mar 3, 20262026-006-AWSCVE-2026-3494
MariaDB Server Audit Plugin Comment Handling Bypass
- Mar 2, 20262026-005-AWSCVE-2026-3336, CVE-2026-3337 +1
Issue with AWS-LC: an open-source, general-purpose cryptographic library (CVE-2026-3336, CVE-2026-3337, CVE-2026-3338)
- Feb 2, 20262026-004-AWSCVE-2026-1777, CVE-2026-1778
Security Findings in SageMaker Python SDK
- Jan 23, 20262026-003-AWSCVE-2026-1386
CVE-2026-1386 - Arbitrary Host File Overwrite via Symlink in Firecracker Jailer
- Jan 15, 20262026-002-AWSDisclosed before NVD
Unanchored ACCOUNT_ID webhook filters for CodeBuild
- Jan 9, 20262026-001-AWSCVE-2026-0830
CVE-2026-0830 - Command Injection in Kiro GitLab Merge Request Helper
- Dec 17, 2025AWS-2025-032CVE-2025-14764, CVE-2025-14759 +4
Key Commitment Issues in S3 Encryption Clients
- Dec 15, 2025AWS-2025-031CVE-2025-14503
Overly Permissive Trust Policy in Harmonix on AWS EKS
- Dec 4, 2025AWS-2025-030CVE-2025-66478, CVE-2025-55182
CVE-2025-66478: RCE in React Server Components
- Nov 21, 2025AWS-2025-029CVE-2025-13524
Call audio termination issue in AWS Wickr desktop clients
- Nov 10, 2025AWS-2025-028CVE-2025-12967
Privilege Escalation in Aurora PostgreSQL using AWS JDBC Wrapper, AWS Go Wrapper, AWS NodeJS Wrapper, AWS Python Wrapper, AWS PGSQL ODBC driver
- Nov 7, 2025AWS-2025-027CVE-2025-12829
CVE-2025-12829 - Integer Overflow issue in Amazon Ion-C
- Nov 6, 2025AWS-2025-026CVE-2025-12815
CVE-2025-12815 - RES web portal may display preview of Virtual Desktops that the user shouldn't have access to
- Nov 5, 2025AWS-2025-025CVE-2025-12779
Improper authentication token handling in the Amazon WorkSpaces client for Linux
- Nov 5, 2025AWS-2025-024CVE-2025-31133, CVE-2025-52565 +1
CVE-2025-31133, CVE-2025-52565, CVE-2025-52881 - runc container issues
- Oct 10, 2025AWS-2025-023CVE-2025-11616, CVE-2025-11617 +1
Buffer Over-read when receiving improperly sized ICMPv6 packets
- Oct 9, 2025AWS-2025-022CVE-2025-11573
CVE-2025-11573 - Denial of Service issue in Amazon.IonDotnet
- Oct 8, 2025AWS-2025-021Disclosed before NVD
IMDS impersonation
- Oct 7, 2025AWS-2025-020CVE-2025-11462
CVE-2025-11462 AWS ClientVPN macOS Client Local Privilege Escalation
- Oct 7, 2025AWS-2025-019Disclosed before NVD
Amazon Q Developer and Kiro – Prompt Injection Issues in Kiro and Q IDE plugins
- Aug 14, 2025AWS-2025-018CVE-2025-9039
CVE-2025-9039 - Issue with Amazon ECS agent introspection server
- Aug 13, 2025AWS-2025-017CVE-2025-8904
CVE-2025-8904 - Issue with Amazon EMR Secret Agent component
- Aug 12, 2025AWS-2025-016CVE-2025-8217
[Redirected] Memory Dump Issue in AWS CodeBuild
- Aug 11, 2025AWS-2025-015CVE-2025-8217
[Redirected] Security Update for Amazon Q Developer Extension for Visual Studio Code (Version #1.84)
- Jul 23, 2025AWS-2025-014CVE-2025-8069
CVE-2025-8069 - AWS Client VPN Windows Client Local Privilege Escalation
- Jul 17, 2025AWS-2025-013LowCVE-2025-6031
CVE-2025-6031 - Insecure device pairing in end-of-life Amazon Cloud Cam