Which versions of AgentCore CLI are affected by CVE-2026-11393?

AWS AgentCore CLI contains a critical remote code execution vulnerability (CVSS 9.0) affecting authenticated users who import malicious Bedrock Agent collaborators.. A patch is available.

How to fix or mitigate CVE-2026-11393?

Within 24 hours: Inventory all AWS AgentCore CLI installations and document current versions across the organization. Within 7 days: Update all instances of AWS AgentCore CLI to v0.14.2 or later. Within 30 days: Audit imported Bedrock Agent collaborators for suspicious collaborationInstruction payloads; review IAM role activities during vulnerability window for signs of exploitation.

AgentCore CLI CVE-2026-11393

Q: What is the CVSS score of CVE-2026-11393?

CVE-2026-11393 has a CVSS 4.0 base score of 8.8 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-35187 HIGH

Code Injection (CWE-94)

2026-06-08 AMZN

Python Code Injection RCE

8.8

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Re-analysis Queued

Jun 08, 2026 - 19:22 vuln.today

cvss_changed

Severity Changed

Jun 08, 2026 - 19:22 NVD

CRITICAL HIGH

CVSS changed

Jun 08, 2026 - 19:22 NVD

9.0 (CRITICAL) 8.8 (HIGH)

Source Code Evidence Fetched

Jun 08, 2026 - 19:22 vuln.today

Analysis Generated

Jun 08, 2026 - 19:22 vuln.today

DescriptionNVD

Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of another user in the same AWS account, via a crafted collaborationInstruction stored on a Bedrock Agent collaborator and later processed by that other user during agent import.

To remediate this issue, users should upgrade to version 0.14.2.

AnalysisAI

Remote code execution in AWS AgentCore CLI before v0.14.2 allows authenticated attackers to inject Python code via crafted collaborationInstruction strings stored on Bedrock Agent collaborators. When another user in the same AWS account imports the agent, the malicious triple-quote payload breaks out of the generated Python docstring and executes attacker-controlled code on AWS AgentCore Runtime under the imported agent's IAM execution role, as well as on the importing user's local environment. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain write access to Bedrock collaborator

Delivery

Plant triple-quote payload in collaborationInstruction

Exploit

Victim runs agentcore import

Execution

Generated Python docstring escapes into code

Persist

Injected code runs on victim workstation and AgentCore Runtime

Impact

Abuse imported agent's IAM execution role

Access

Obtain write access to Bedrock collaborator

Delivery

Plant triple-quote payload in collaborationInstruction

Exploit

Victim runs agentcore import

Execution

Generated Python docstring escapes into code

Persist

Injected code runs on victim workstation and AgentCore Runtime

Impact

Abuse imported agent's IAM execution role

Vulnerability AssessmentAI

Exploitation	Attacker must (1) hold authenticated AWS credentials with permission to set the collaborationInstruction field on a Bedrock Agent collaborator in the target account, and (2) induce a second user in the same AWS account to run the AgentCore CLI import command against that collaborator - UI:R in the CVSS vector reflects this required victim action. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS:3.1 vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H yields 9.0 and reflects the cross-tenant blast radius: a low-privileged authenticated actor in one AWS account context plants a payload, and a second user's import (UI:R) detonates it, with Scope:Changed because execution spreads to AgentCore Runtime under a different IAM role plus the victim's local workstation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with permission to update a Bedrock Agent collaborator in a shared AWS account sets its collaborationInstruction to a string that closes the generated Python triple-quoted docstring and appends malicious Python (for example, code that exfiltrates AWS credentials or writes an SSH key). A teammate later runs agentcore import to pull that collaborator into their own workflow; the CLI emits and executes the poisoned Python both locally on the teammate's workstation and on AWS AgentCore Runtime under the imported agent's IAM execution role, giving the attacker code execution in two distinct trust contexts. …
Remediation	Vendor-released patch: upgrade AgentCore CLI to v0.14.2 (npm install -g @aws/agentcore@0.14.2) or, if tracking the preview line, to 1.0.0-preview.9; the fix is PR #1329 which escapes triple-quote sequences in collaborationInstruction before they are embedded in generated Python. … Detailed patch versions, workarounds, and compensating controls in full report.