2026-050-AWS

CVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib

Published
July 1, 2026
Last Modified

🔗 CVE IDs covered (1)

📋 Description

Bulletin ID: 2026-050-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 07/01/2026 12:15 PM PDT Description: AWS CDK (aws-cdk-lib) is an open-source framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. We identified CVE-2026-13760, an OS command injection issue in the NodejsFunction Docker bundling pipeline in aws-cdk-lib before 2.260.0 that could allow an actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified. Impacted versions:
Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

🔗 References (1)