Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Insecure deserialization in the job results processing component in Amazon Braket SDK before 1.117.0 might allow a remote authenticated user with S3 write access to the job output bucket to achieve arbitrary code execution on any machine that processes job results.
We recommend you upgrade to amazon-braket-sdk version 1.117.0 or later.
AnalysisAI
Arbitrary code execution in Amazon Braket Python SDK versions prior to 1.117.0 allows an authenticated attacker with S3 write access to the job output bucket to compromise any client machine that processes those job results. The flaw stems from insecure pickle deserialization in the job results processing component, and while no public exploit has been identified at time of analysis, the impact extends to every downstream consumer of poisoned results. EPSS data is unavailable, but the supply-chain-style propagation across analyst workstations and CI systems materially raises real-world risk.
Technical ContextAI
Amazon Braket is AWS's managed quantum computing service, and the amazon-braket-sdk-python (CPE cpe:2.3:a:aws:amazon_braket_python_sdk) is the official Python client used by researchers and pipelines to submit jobs and retrieve results from S3. The underlying weakness is CWE-502 (Deserialization of Untrusted Data): the SDK historically used Python's pickle module to deserialize job result artifacts fetched from the job output S3 bucket. Because pickle invokes arbitrary callables during reconstruction (via __reduce__), any attacker who can write to the result bucket can craft a malicious payload that executes code in the process of whoever later loads the results. The v1.117.0 release notes explicitly confirm the fix: 'Disable pickle deserialization by default for security.'
RemediationAI
Vendor-released patch: upgrade amazon-braket-sdk-python to version 1.117.0 or later (https://github.com/amazon-braket/amazon-braket-sdk-python/releases/tag/v1.117.0), which disables pickle deserialization by default per the release notes. Until the upgrade is rolled out to every machine that processes Braket job results (including analyst workstations and CI runners - not just job submitters), apply IAM least-privilege to tightly restrict s3:PutObject on job output buckets to the Braket service principal and trusted job-execution roles only, and enable S3 bucket policies that deny writes from unexpected principals; the trade-off is that any custom tooling that legitimately wrote to those buckets will break. As a defense-in-depth measure, enable S3 server-access logging and CloudTrail data events on the output buckets to detect anomalous writes, and consider running result-processing in isolated, non-privileged environments so a successful exploit does not pivot to credentials or source code. Consult the AWS bulletin at https://aws.amazon.com/security/security-bulletins/2026-036-aws/ and GHSA-g697-2xrc-gc46 for vendor guidance.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31483
GHSA-g697-2xrc-gc46