AWS discloses multiple flaws across SageMaker, Redshift, RabbitMQ, Braket, and WorkSpaces
AWS published a series of security bulletins covering vulnerabilities across several products and SDKs, including model artifact integrity verification issues in the Amazon SageMaker Python SDK (CVE-2026-8596, CVE-2026-8597), a heap out-of-bounds read in coreMQTT MQTT5 property parsing (CVE-2026-8686), and a remote code execution flaw in the amazon-redshift-python-driver (CVE-2026-8838). The company also disclosed an arbitrary file read issue in the rabbitmq-aws plugin (CVE-2026-9133), tool execution without authorization via piped stdin in Kiro CLI (CVE-2026-9255), and insecure deserialization in Amazon Braket SDK job results processing (CVE-2026-9291).
A separate advisory addressed improper authentication token handling in the Amazon WorkSpaces client for Linux. Taken together, the disclosures span cloud development tools, messaging components, data platforms, quantum-computing SDKs, and end-user clients, indicating a broad patching requirement for organizations using AWS software. Security teams should identify affected packages and clients in their environments and prioritize remediation for flaws that could enable remote code execution, unauthorized actions, file disclosure, or unsafe processing of untrusted data.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
AWS publishes Amazon Braket SDK deserialization advisory
AWS published bulletin 2026-036 for CVE-2026-9291, describing insecure deserialization in Amazon Braket SDK job results processing.
AWS publishes Kiro CLI unauthorized tool execution advisory
AWS published bulletin 2026-035 for CVE-2026-9255, covering tool execution without authorization via piped stdin in Kiro CLI.
AWS publishes rabbitmq-aws arbitrary file read advisory
AWS published bulletin 2026-034 for CVE-2026-9133, describing an arbitrary file read vulnerability in the rabbitmq-aws plugin.
AWS publishes Redshift Python driver RCE advisory
AWS published bulletin 2026-033 for CVE-2026-8838, describing a remote code execution issue in the amazon-redshift-python-driver.
AWS publishes coreMQTT MQTT5 property parsing advisory
AWS published bulletin 2026-032 for CVE-2026-8686, a heap out-of-bounds read in coreMQTT MQTT5 property parsing.
AWS publishes SageMaker Python SDK integrity verification advisory
AWS published bulletin 2026-031 for CVE-2026-8596 and CVE-2026-8597, describing model artifact integrity verification issues in the Amazon SageMaker Python SDK.
AWS publishes advisory on Amazon WorkSpaces client token handling
AWS published security bulletin AWS-2025-025 covering improper authentication token handling in the Amazon WorkSpaces client for Linux.
Twitter discloses scope of Wednesday breach
Engadget reported Twitter's statement that 130 accounts were targeted in the attack, providing an official update on the scale of the incident.
Twitter breach attackers target 130 accounts
Twitter said attackers targeted 130 accounts during the breach that occurred on Wednesday. The incident involved high-profile account compromises used in a bitcoin scam campaign.
Sources
8 references tracked. Mallory keeps watching after this page renders.
CVE-2026-9291 - Insecure Deserialization in Amazon Braket SDK Job Results Processing
aws.amazon.com
Open sourceCVE-2026-9255 - Tool Execution Without Authorization via Piped Stdin in Kiro CLI
aws.amazon.com
Open sourceCVE-2026-9133 - Arbitrary file read in rabbitmq-aws plugin
aws.amazon.com
Open sourceCVE-2026-8838 - Remote Code Execution in amazon-redshift-python-driver
aws.amazon.com
Open sourceCVE-2026-8686 - Heap out-of-bounds read in coreMQTT MQTT5 property parsing
aws.amazon.com
Open sourceCVE-2026-8596 and CVE-2026-8597: Issue with Amazon SageMaker Python SDK - Model artifact integrity verification issues
aws.amazon.com
Open sourceImproper authentication token handling in the Amazon WorkSpaces client for Linux
aws.amazon.com
Open sourceTwitter says attackers targeted 130 accounts in Wednesday's breach
engadget.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Amazon Q Developer Flaw Let Malicious Repos Execute Code and Steal Cloud Credentials
Amazon patched a high-severity flaw in **Amazon Q Developer** and the underlying **Language Servers for AWS** that allowed a booby-trapped repository to execute attacker-controlled commands when a developer opened and trusted a workspace. Tracked as **`CVE-2026-12957`** and rated **CVSS 8.5**, the issue involved unsafe handling of **Model Context Protocol (MCP)** configuration files such as **`.amazonq/mcp.json`**, which could cause Amazon Q integrations for **VS Code, JetBrains, Eclipse, and Visual Studio** to launch local processes defined by an attacker. Those processes inherited the developer’s environment, exposing **AWS credentials, API keys, authentication tokens, and SSH agent access** already present on the machine. **Wiz Research** reported the vulnerability to AWS on April 20, and AWS fixed it on May 12, later publishing an advisory and releasing remediation in **Language Servers for AWS 1.65.0**. AWS also addressed a related flaw, **`CVE-2026-12958`**, involving missing symlink validation that could enable arbitrary file writes outside the workspace trust boundary; customers were advised to upgrade to **version 1.69.0** to cover both issues. Researchers said likely attack paths include fake coding tests, typosquatted open-source packages, and malicious pull requests, while noting the weakness reflects broader trust-boundary problems emerging across AI coding assistants that adopt MCP-style workspace configuration.
Jun 29, 2026
AWS Research and Engineering Studio Flaws Enable Root Command Execution and AWS Privilege Escalation
AWS disclosed two high-severity vulnerabilities in **Research and Engineering Studio (RES)** that affect releases from `2025.03` through versions prior to `2026.03`. The first, **`CVE-2026-5707`**, is a `CWE-78` command injection flaw in virtual desktop session name handling that could let a remote authenticated attacker execute arbitrary commands as **root** on a virtual desktop host by supplying a crafted session name. The issue carries a CVSS v3.1 rating of `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, reflecting high impact across confidentiality, integrity, and availability. AWS also disclosed **`CVE-2026-5708`**, a `CWE-915` privilege-escalation flaw in the RES `CreateSession` API caused by improper control of user-modifiable attributes. An authenticated attacker could use a crafted API request to escalate privileges, assume the virtual desktop host instance profile permissions, and access AWS resources and services. AWS directed customers to upgrade to **RES `2026.03`** or apply the vendor mitigation patch, with details published through an AWS security bulletin, a GitHub issue, and the RES `2026.03` release notes.
Jun 29, 2026
Authentication Token Exposure Vulnerability in Amazon WorkSpaces Client for Linux
A critical vulnerability, tracked as CVE-2025-12779, was discovered in the Amazon WorkSpaces client for Linux, specifically affecting versions 2023.0 through 2024.8. The flaw arises from improper handling of authentication tokens, which can allow local users on the same client machine to extract valid tokens and gain unauthorized access to other users’ WorkSpace sessions. AWS issued a security bulletin (AWS-2025-025) on November 5, 2025, categorizing the issue as important and urging immediate remediation to prevent potential credential exposure on shared systems. The vulnerability does not allow for remote exploitation but poses a significant risk in environments where multiple users share the same Linux client. AWS recommends upgrading to version 2025.0 or later of the Amazon WorkSpaces client for Linux to mitigate the risk. Organizations relying on AWS virtual desktop infrastructure are advised to review their deployments and ensure all affected clients are updated to prevent unauthorized access and potential data compromise.
Jun 29, 2026