CVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib
Bulletin ID: 2026-050-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 07/01/2026 12:15 PM PDT Description: AWS CDK (aws-cdk-lib) is an open-source framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. We identified CVE-2026-13760, an OS command injection issue in the NodejsFunction Docker bundling pipeline in aws-cdk-lib before 2.260.0 that could allow an actor who controls dependency version strings in a project's package.json file to execute arbitrary commands on the host running the CDK toolchain via injected shell metacharacters in the OsCommand helper. This issue requires the actor to control the content of a package.json dependency version string that is processed during Docker-based bundling with nodeModules specified. Impacted versions: < 2.260.0 Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
CSIRTS triage
- What
- An OS command injection issue could allow execution of arbitrary commands on the host running the CDK toolchain.
- Who is affected
- Deployments of aws-cdk-lib before version 2.260.0.
- Urgency
- Remediation is urgent due to the potential for command injection vulnerabilities.
- Action
- Update aws-cdk-lib to version 2.260.0 or later.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch aws-cdk-lib
Get an email when a new aws-cdk-lib advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-050-aws/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-137600.61% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 45% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-13760 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
Recent advisories for - OS Command
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownCVE-2026-15081: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerabi…nvd · 2026-07-10
- unknownCVE-2026-13242: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerabi…nvd · 2026-07-10
- unknownCVE-2026-45203: Kernel software installed and running inside a Host VM may post improper commands to the GPU F…nvd · 2026-07-10
- unknownCVE-2026-45196: Kernel software installed and running inside a Host VM may post improper commands to the GPU F…nvd · 2026-07-10
- criticalGHSA-m93h-4hw7-5qcm: File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentic…ghsa · 2026-07-10
- criticalCVE-2026-5801: Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerabil…nvd · 2026-07-10
More from AWS Security Bulletins
- unknownCVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio2026-07-07
- unknownCVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-…2026-07-06
- unknownCVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin2026-07-01
- unknownCVE-2026-13769 – Insecure file permissions in AWS CLI2026-07-01
- unknownCVE-2026-13762 and CVE-2026-13763 - Issue with HTTP/2 multi-frame request body inspection in AWS WAF2026-06-29