Skip to main content

Amazon ECS Agent EUVDEUVD-2026-26412

| CVE-2026-7461 HIGH
OS Command Injection (CWE-78)
2026-04-30 AMZN
7.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

8
Re-analysis Queued
Apr 30, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Apr 30, 2026 - 19:22 NVD
7.2 (HIGH) 7.5 (HIGH)
Source Code Evidence Fetched
Apr 30, 2026 - 19:16 vuln.today
Analysis Generated
Apr 30, 2026 - 19:16 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 19:00 euvd
EUVD-2026-26412
Analysis Generated
Apr 30, 2026 - 19:00 vuln.today
Patch released
Apr 30, 2026 - 19:00 nvd
Patch available
CVE Published
Apr 30, 2026 - 18:35 nvd
HIGH 7.5

DescriptionCVE.org

Improper neutralization of inputs used in an OS command in the FSx Windows File Server volume mounting component in Amazon ECS Agent on Windows before version 1.103.0 might allow a remote authenticated threat actor to execute shell commands with SYSTEM privileges on the underlying host via a specially crafted username field in an ECS task definition. This issue requires permissions to register ECS task definitions or write to the Secrets Manager or SSM Parameter Store credentials used by the FSx volume configuration.

To remediate this issue, users should upgrade to version 1.103.0.

AnalysisAI

Command injection in Amazon ECS Agent on Windows allows authenticated attackers with task definition permissions to execute arbitrary shell commands with SYSTEM privileges on the underlying host. The vulnerability exists in the FSx Windows File Server volume mounting component (versions prior to 1.103.0), where username field input is not properly sanitized before being passed to OS commands. This affects AWS customers running Windows-based ECS container workloads with FSx volumes - exploitation requires IAM permissions to register ECS task definitions or write to credential stores (Secrets Manager/SSM Parameter Store) used by FSx configurations. Vendor-released patch: version 1.103.0. EPSS and KEV data not provided; no public exploit identified at time of analysis.

Technical ContextAI

This is a CWE-78 (OS Command Injection) vulnerability in the Amazon ECS Agent's Windows implementation, specifically the FSx for Windows File Server volume mounting subsystem. The affected component (cpe:2.3:a:aws:amazon_ecs_agent:*:*:*:*:*:*:*:*) processes ECS task definitions containing FSx volume configurations with credentials stored in AWS Secrets Manager or SSM Parameter Store. According to GitHub PR #4934 in the fix release, the vulnerability stems from unsafe direct interpolation of the username field into OS commands during the mount operation. Instead of sanitizing inputs before shell execution, the vulnerable code passes user-controlled task definition parameters directly to Windows command-line utilities with SYSTEM privileges. The patch remediation (v1.103.0) implements environment variable-based input handling to prevent command injection, alongside a Golang version bump to 1.25.9 for additional security improvements.

RemediationAI

Upgrade Amazon ECS Agent to version 1.103.0 or later per AWS Security Bulletin 2026-024-AWS (https://aws.amazon.com/security/security-bulletins/2026-024-aws/). The patch implements environment variable-based input handling for FSx volume mounting (GitHub PR #4934) to prevent command injection. For environments unable to immediately upgrade, implement compensating controls: (1) Audit and restrict IAM permissions for ecs:RegisterTaskDefinition, secretsmanager:PutSecretValue, and ssm:PutParameter actions to trusted principals only via least-privilege policies - note this may impact developer workflows requiring task definition updates; (2) Enable AWS CloudTrail logging for RegisterTaskDefinition API calls and configure CloudWatch alarms for unusual username patterns in task definition parameters (regex monitoring for shell metacharacters in FSx credential fields); (3) Consider temporarily disabling FSx for Windows File Server volume support on ECS clusters running vulnerable agent versions if the feature is not operationally required - this breaks existing FSx-dependent tasks. The patch also upgrades Golang to 1.25.9 for additional security improvements. Verify upgrade success by checking ECS agent version via AWS Systems Manager or container instance metadata.

Share

EUVD-2026-26412 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy