CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-4269 - Improper S3 ownership verification in Bedrock AgentCore Starter Toolkit

unknownCVE-2026-4269
Bulletin ID: 2026-008-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/03/16 11:15 AM PDT Description: A missing S3 ownership verification in the Bedrock AgentCore Starter Toolkit before version v0.1.13 may allow a remote actor to inject code during the build process, leading to code execution in the AgentCore Runtime. Impacted versions: All versions of Bedrock AgentCore Starter Toolkit versions before v0.1.13. This issue only affects users of the Bedrock AgentCore Starter Toolkit before version v0.1.13 who build the Toolkit after September 24, 2025. Any users on a version >=v0.1.13, and any users on previous versions who built the toolkit before September 24, 2025 are not affected. Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.

CSIRTS triage

What
Missing S3 ownership verification may allow a remote actor to inject code during the build process.
Who is affected
Users of Bedrock AgentCore Starter Toolkit versions before v0.1.13 who build the Toolkit after September 24, 2025.
Urgency
Remediation is critical to prevent code injection during the build process.
Action
Upgrade to Bedrock AgentCore Starter Toolkit version v0.1.13 or later.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch Bedrock AgentCore Starter Toolkit

Get an email when a new Bedrock AgentCore Starter Toolkit advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
unknown
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-008-aws/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-4269coverage & exploitation statusNVD · CVE.org

Recent advisories for - Improper S3

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from AWS Security Bulletins