Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Medium

Code Injection in Bedrock AgentCore Starter Toolkit via Missing S3 Ownership Verification

IdentifiersCVE-2026-4269CWE-345

CVE-2026-4269 is a code injection vulnerability in the Bedrock AgentCore Starter Toolkit affecting versions prior to v0.1.13. The issue is caused by missing verification of S3 object ownership during the toolkit build process. Because the build process does not properly validate that S3-hosted content originates from the expected owner, a remote actor may be able to supply or influence malicious content that is incorporated during build time. Successful exploitation can result in attacker-controlled code being injected into the built artifact and subsequently executed within the AgentCore Runtime. Based on the provided information, the issue affects users who built or rebuild the toolkit after September 24, 2025 while using a vulnerable version earlier than v0.1.13.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation may allow a remote attacker to inject malicious code during the build process, resulting in code execution in the AgentCore Runtime. This creates a supply-chain style compromise path in which affected builds may embed attacker-controlled logic, potentially enabling full compromise of the runtime context in which the built AgentCore components execute.

Mitigation

If you can’t patch tonight, do this now.

Primary mitigation is to move to v0.1.13 or later. Based on the provided information, users on versions earlier than v0.1.13 who built the toolkit before September 24, 2025 are not affected; the stated exposure applies to vulnerable versions that were built after September 24, 2025. Where immediate upgrade is not possible, organizations should avoid rebuilding affected vulnerable versions and should treat builds produced after that date on vulnerable versions as potentially compromised until rebuilt with a fixed release. Additional mitigation details are not available from the provided content.

Remediation

Patch, then assume compromise.

Upgrade the Bedrock AgentCore Starter Toolkit to version v0.1.13 or later. The provided advisory explicitly states that customers should upgrade to v0.1.13 to remediate the issue.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Amazon Web ServicesBedrock Agentcore Starter Toolkitapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories and community write-ups. News coverage will land here when it surfaces.

9 SOURCESView more in app

No news coverage yet. Advisories and community discussion only.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-4269
NVD
nvd.nist.gov/vuln/detail/CVE-2026-4269
MITRE CWE · CWE-345
cwe.mitre.org
Vendor Advisory
aws.amazon.com/security/security-bulletins/2026-008-AWS
Release Notes
github.com/aws/bedrock-agentcore-starter-toolkit/releases/tag/v0.1.13