AWS Bedrock AgentCore Starter Toolkit, Code Injection, CVE-2026-4269 (High)

Listen to this Post

A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit before version v0.1.13 may allow a remote actor to inject code during the build process, leading to code execution in the AgentCore Runtime . The vulnerability stems from improper validation of S3 bucket ownership during the build process, where the toolkit fails to verify that the S3 bucket from which it retrieves build dependencies is owned by the expected party . This oversight enables a remote attacker to stage a malicious S3 bucket with identical naming patterns, causing the build process to download and incorporate attacker-controlled code instead of legitimate dependencies . When a developer builds the toolkit after September 24, 2025 using an affected version, the poisoned build artifacts become part of the deployed AgentCore Runtime environment . The injected code then executes within the runtime context, granting attackers the same permissions and access as the legitimate AgentCore resource . Due to the high attack complexity, successful exploitation requires the attacker to win a naming race and position malicious content before the legitimate build occurs . However, once achieved, the impact is severe with complete compromise of confidentiality, integrity, and availability of the affected AgentCore resource .
Platform: AWS Bedrock
Version: <0.1.13
Vulnerability: Code Injection
Severity: 7.5 High
Date: 2026-03-16

Prediction: Patch exists v0.1.13

What Undercode Say:

Bash Commands & Detection

Check installed version
pip show bedrock-agentcore-starter-toolkit | grep Version
If version < 0.1.13 and built after 2025-09-24, vulnerable
pip list --outdated | grep bedrock-agentcore
Upgrade to patched version
pip install --upgrade bedrock-agentcore-starter-toolkit>=0.1.13
Verify successful upgrade
python -c "import bedrock_agentcore_starter_toolkit; print(bedrock_agentcore_starter_toolkit.<strong>version</strong>)"
Check build timestamps in build logs
grep -r "build completed" .bedrock_agentcore/build.log 2>/dev/null
Audit S3 buckets referenced in configuration
aws s3api get-bucket-ownership-controls --bucket your-build-bucket --query 'OwnershipControls.Rules[bash].ObjectOwnership'
List all deployed agents and their versions
agentcore list --output json | jq '.[].version'
Check CloudTrail for unusual S3 GetObject calls during builds
aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=GetObject --start-time 2025-09-24
Verify S3 bucket ownership before builds
aws s3api get-bucket-acl --bucket dependency-bucket --query 'Owner.ID'
Create SBOM for dependency scanning
pip list --format=json > requirements-sbom.json
Scan for CVE-2026-4269 using safety CLI
safety check -r requirements.txt --full-report
Monitor for unauthorized build artifacts
aws s3api list-objects-v2 --bucket your-bucket --prefix build-artifacts/ --query 'Contents[?LastModified><code>2025-09-24</code>].Key'
Check IAM roles for excessive permissions
aws iam list-attached-role-policies --role-name AgentCoreExecutionRole

How Exploit Works

  1. Bucket Confusion: Attacker identifies the S3 bucket name used by the toolkit for fetching build dependencies
  2. Ownership Bypass: Toolkit lacks verification of bucket ownership, only checks bucket existence
  3. Malicious Bucket Creation: Attacker creates a bucket with identical name in different AWS account before legitimate build occurs
  4. Code Injection: Malicious bucket contains poisoned dependencies with same filenames as expected ones
  5. Build Poisoning: During agentcore launch, toolkit pulls attacker-controlled code instead of legitimate dependencies
  6. Runtime Execution: Injected code becomes part of the deployed AgentCore container and executes with full runtime permissions
  7. Persistence: Malicious code runs each time the agent invokes the compromised functionality

Protection from this CVE

  1. Immediate Upgrade: Update to version 0.1.13 or later immediately
  2. Rebuild All Agents: Perform clean rebuild of all agents built after September 24, 2025
  3. Verify Build Integrity: Compare checksums of deployed artifacts against known-good sources
  4. S3 Ownership Validation: Implement pre-build validation of bucket ownership using AWS Account ID verification
  5. Use VPC Endpoints: Restrict S3 access to specific VPC endpoints for build processes
  6. Enable CloudTrail: Monitor all S3 GetObject calls during build windows
  7. Implement Least Privilege: Restrict AgentCore execution roles to minimum required permissions
  8. Pin Dependencies: Use exact version pins with integrity hashes in requirements.txt
  9. Isolate Build Environment: Use ephemeral build environments destroyed after each build
  10. Audit All Forks: Review any forked or derivative code for missing ownership checks

Impact

  • Complete Confidentiality Loss: Attackers can read all data processed by the compromised AgentCore Runtime
  • Full Integrity Compromise: Injected code can modify agent behavior, memory contents, and responses
  • Total Availability Disruption: Attackers can terminate or disrupt agent operations at will
  • Build Pipeline Poisoning: All agents built from compromised toolkit versions carry the injection
  • Supply Chain Propagation: Injected code can spread to downstream systems interacting with compromised agents
  • Privilege Escalation: Runtime inherits IAM permissions, potentially exposing other AWS services
  • Data Exfiltration: Attackers can siphon sensitive data processed by agents to external locations
  • Long-term Persistence: Injected code survives agent redeployments unless clean rebuild performed

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top