Skip to main content

AWS CLI CVE-2026-13769

| EUVDEUVD-2026-41116 MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-07-01 AMZN
6.8
CVSS 4.0 · Vendor: AMZN
Share

Severity by source

Vendor (AMZN) PRIMARY
6.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.5 MEDIUM

Local attack vector (AV:L) and low-privilege account required (PR:L); only confidentiality impacted as credentials are read-only stolen, no integrity or availability effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Red Hat
5.5 MEDIUM
qualitative

Primary rating from Vendor (AMZN).

CVSS VectorVendor: AMZN

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 19:35 vuln.today
CVSS changed
Jul 01, 2026 - 19:22 NVD
5.5 (MEDIUM) 6.8 (MEDIUM)

DescriptionCVE.org

Overly permissive file permissions in AWS CLI before 1.44.78 (v1) and 2.34.29 (v2) on Unix-like systems where the umask has not been configured to restrict file permissions (the default on most systems) may allow other local users on the same host to read credentials written by certain CLI subcommands (aws codeartifact login, aws iam create-virtual-mfa-device, aws deploy register).

To remediate this issue, users should upgrade to AWS CLI 1.44.78 (v1) or 2.34.29 (v2) or later.

AnalysisAI

Credential exposure in AWS CLI on Unix-like systems allows other local users on the same host to read sensitive credentials written to disk by three specific subcommands: aws codeartifact login, aws iam create-virtual-mfa-device, and aws deploy register. When the system umask is at its default permissive value - the case on most Unix-like systems - credential files are written without adequately restrictive permissions, making them readable by other local accounts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local user account on shared host
Delivery
Wait for victim to execute aws codeartifact login, aws iam create-virtual-mfa-device, or aws deploy register
Exploit
Locate credential file written to disk with permissive umask
Execution
Read world/group-readable credential file
Impact
Authenticate to AWS services with stolen credentials

Vulnerability AssessmentAI

Exploitation Three concrete preconditions must all be met: (1) the attacker must have a local user account on the same host as the victim - remote network exploitation is not possible given AV:L; (2) the victim must have executed one of exactly three vulnerable subcommands: aws codeartifact login, aws iam create-virtual-mfa-device, or aws deploy register, creating a credential file on disk; (3) the system umask must be at a permissive default (e.g., 0022 or 0002), which is the case on most Linux and macOS installations out of the box. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.8 (Medium) reflects a local, low-privilege attack with high confidentiality impact and no integrity or availability impact (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a standard local user account on a shared Linux build server waits for a CI pipeline to execute aws codeartifact login as a different user. Because the system umask is the default (0022), the written token file is group- or world-readable; the attacker reads it from /tmp or the user's home directory and uses the stolen CodeArtifact token to pull or tamper with packages in the victim's AWS CodeArtifact repository. …
Remediation Vendor-released patch: AWS CLI 1.44.78 (v1) and 2.34.29 (v2). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise High Performance Computing 12 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected

Share

CVE-2026-13769 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy