Amazon Web Services Latest Security Bulletins

Bulletin ID: 2026-010-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/03/19 13:30 PM PDT Description: AWS-LC is a general-purpose cryptographic library maintained by AWS. We identified CVE-2026-4428 affecting X.509 certificate verification. A logic error in the CRL (Certificate Revocation List) distribution point matching in AWS-LC allows a revoked certificate to bypass revocation checks during certificate validation, when the application enables CRL checking and uses partitioned CRLs with Issuing Distribution Point (IDP) extensions. Applications that do not enable CRL checking (X509_V_FLAG_CRL_CHECK) are not affected. Applications using complete (non-partitioned) CRLs without IDP extensions are also not affected. Impacted versions: – CRL Distribution Point Scope Check Logic Error in AWS-LC >= v1.24.0, < v1.71.0 – CRL Distribution Point Scope Check Logic Error in AWS-LC-FIPS >= AWS-LC-FIPS-3.0.0, < AWS-LC-FIPS-3.3.0 – CRL Distribution Point Scope Check Logic Error in aws-lc-sys >= v0.15.0, < v0.39.0 – CRL Distribution Point Scope Check Logic Error in aws-lc-fips-sys >= v0.13.0, < v0.13.13 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

Bulletin ID: 2026-009-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/03/17 12:15 PM PDT Description: Kiro is an AI-powered IDE for agentic software development. We identified CVE-2026-4295, where improper trust boundary enforcement allowed arbitrary code execution when a user opened a maliciously crafted project directory. Impacted versions: < 0.8.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

Bulletin ID: 2026-008-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/03/16 11:15 AM PDT Description: A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit before version v0.1.13 may allow a remote actor to inject code during the build process, leading to code execution in the AgentCore Runtime. Impacted versions: All versions of Bedrock AgentCore Starter Toolkit versions before v0.1.13. This issue only affects users of the Bedrock AgentCore Starter Toolkit before version v0.1.13 who build the Toolkit after September 24, 2025. Any users on a version >=v0.1.13, and any users on previous versions who built the toolkit before September 24, 2025 are not affected. Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

Bulletin ID: 2026-007-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/03/16 09:15 AM PDT Description: The AWS API MCP Server is an open source Model Context Protocol (MCP) server that enables AI assistants to interact with AWS services and resources through AWS CLI commands. It provides programmatic access to manage your AWS infrastructure while maintaining proper security controls. This server acts as a bridge between AI assistants and AWS services, allowing you to create, update, and manage AWS resources across all available services. The server includes a configurable file access feature that controls how AWS CLI commands interact with the local file system. By default, file operations are restricted to a designated working directory (workdir), but this can be configured to allow unrestricted file system access (unrestricted) or to block all local file path arguments entirely (no-access). We identified CVE-2026-4270: Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. Impacted versions: awslabs.aws-api-mcp-server >= 0.2.14, < 1.3.9 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

Bulletin ID: 2026-006-AWS Scope: AWS Content Type: Informational Publication Date: 2026/03/03 10:15 AM PST Description: Amazon RDS/Aurora is a managed relational database service. We identified CVE-2026-3494. In MariaDB server version through 11.8.5, when server audit plugin is enabled with server_audit_events variable configured with QUERY_DCL, QUERY_DDL, or QUERY_DML filtering, if an authenticated database user invokes a SQL statement prefixed with double-hyphen (‐‐) or hash (#) style comments, the statement is not logged. Impacted versions: – MariaDB Server (10.6.24 and prior, 10.11.15 and prior, 11.4.9 and prior, and 11.8.5 and prior) – Amazon Aurora MySQL (2.12.5 and prior, 3.01.0 to 3.04.5, 3.05.1 to 3.10.2, and 3.11.0) – Amazon RDS for MySQL (5.7.44-RDS.20251212 and prior, 8.0.11 to 8.0.44, and 8.4.3 to 8.4.7) – Amazon RDS for MariaDB (10.6.24 and prior, 10.11.4 to 10.11.15, 11.4.3 to 11.4.9, and 11.8.3 to 11.8.5) Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

Bulletin ID: 2026-005-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/03/02 14:30 PM PST Description: AWS-LC is an open-source, general-purpose cryptographic library. We identified three distinct issues: – CVE-2026-3336: PKCS7_verify Certificate Chain Validation Bypass in AWS-LC Improper certificate validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass certificate chain verification when processing PKCS7 objects with multiple signers, except the final signer. – CVE-2026-3337: Timing Side-Channel in AES-CCM Tag Verification in AWS-LC Observable timing discrepancy in AES-CCM decryption in AWS-LC allows an unauthenticated user to potentially determine authentication tag validity via timing analysis. – CVE-2026-3338: PKCS7_verify Signature Validation bypass in AWS-LC Improper signature validation in PKCS7_verify() in AWS-LC allows an unauthenticated user to bypass signature verification when processing PKCS7 objects with Authenticated Attributes. Impacted versions: – PKCS7_verify Certificate Chain Validation Bypass in AWS-LC >= v1.41.0, < v1.69.0 – PKCS7_verify Certificate Chain Validation Bypass in aws-lc-sys >= v0.24.0, < v0.38.0 – Timing Side-Channel in AES-CCM Tag Verification in AWS-LC >= v1.21.0, < v1.69.0 – Timing Side-Channel in AES-CCM Tag Verification in AWS-LC >= AWS-LC-FIPS-3.0.0, < AWS-LC-FIPS-3.2.0 – Timing Side-Channel in AES-CCM Tag Verification in aws-lc-sys >= v0.14.0, < v0.38.0 – Timing Side-Channel in AES-CCM Tag Verification in aws-lc-sys-fips >= v0.13.0, < v0.13.12 – PKCS7_verify Signature Validation bypass in AWS-LC >= v1.41.0, < v1.69.0 – PKCS7_verify Signature Validation bypass in aws-lc-sys >= v0.24.0, < v0.38.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

Bulletin ID: 2026-004-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/02/02 14:30 PM PST Description: CVE-2026-1777 – Exposed HMAC in SageMaker Python SDK SageMaker Python SDK’s remote functions feature uses a per‑job HMAC key to protect the integrity of serialized functions, arguments, and results stored in S3. We identified an issue where the HMAC secret key is stored in environment variables and disclosed via the DescribeTrainingJob API. This allows third parties with DescribeTrainingJob permissions to extract the key, forge cloud-pickled payloads with valid HMACs, and overwrite S3 objects. CVE-2026-1778 – Insecure TLS Configuration in SageMaker Python SDK SageMaker Python SDK is an open source library for training and deploying machine learning models on Amazon SageMaker. We identified an issue where SSL certificate verification was globally disabled in the Triton Python backend. This configuration was introduced to work around SSL errors during model downloads from public sources (e.g., TorchVision) and it affected all HTTPS connections when the Triton Python model was imported. Impacted versions: – HMAC Configuration in SageMaker Python SDK v3 < v3.2.0 – HMAC Configuration in SageMaker Python SDK v2 < v2.256.0 – Insecure TLS Configuration in SageMaker Python SDK v3 < v3.1.1 – Insecure TLS Configuration in SageMaker Python SDK v2 < v2.256.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

Bulletin ID: 2026-003-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/01/23 12:30 PM PST Description: Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services. Firecracker runs in user space and uses the Linux Kernel-based Virtual Machine (KVM) to create microVMs. Each Firecracker microVM is further isolated with common Linux user-space security barriers by a companion program called “jailer”. The jailer provides a second line of defense in case a user escapes from the microVM boundaries and it is released at each Firecracker version. We are aware of CVE-2026-1386, an issue that is related to the Firecracker jailer, which under certain circumstances can allow an user to overwrite arbitrary files in the host filesystem. AWS services that use Firecracker are not impacted by the issue as we appropriately restrict access to the host and the jailer folder, blocking the preconditions required for the attack to happen. Impacted versions: Firecracker version v1.13.1 and earlier and 1.14.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

Bulletin ID: 2026-002-AWS Scope: AWS Content Type: Informational Publication Date: 2026/01/15 07:03 AM PST Description: A security research team identified a configuration issue affecting the following AWS-managed open source GitHub repositories that could have resulted in the introduction of inappropriate code: – aws-sdk-js-v3 – aws-lc – amazon-corretto-crypto-provider – awslabs/open-data-registry Specifically, researchers identified the above repositories’ configured regular expressions for AWS CodeBuild webhook filters intended to limit trusted actor IDs were insufficient, allowing a predictably acquired actor ID to gain administrative permissions for the affected repositories. We can confirm these were project-specific misconfigurations in webhook actor ID filters for these repositories and not an issue in the CodeBuild service itself. The researchers carefully demonstrated the potential to commit inappropriate code, through an empty code commit, to one repository and promptly informed AWS Security of their research activity and its potential negative impact. No inappropriate code was introduced to any of the affected repositories during this security research activity, the demonstrated empty code commit to one repository had no impact to any AWS customer environments and did not impact any AWS services or infrastructure. No customer action is required. Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.