CVE-2026-7461 - OS Command Injection in Amazon ECS Agent via FSx Windows File Server Volume Credentials
Bulletin ID: 2026-024-AWS Scope: AWS Content Type: Important (requires attention) Publication Date: 2026/04/30 13:30 PM PDT Description: Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that enables customers to deploy, manage, and scale containerized applications. The Amazon ECS agent supports mounting FSx for Windows File Server volumes in task definitions on Windows EC2 instances. We identified CVE-2026-7461, a command injection issue in FSx volume mounting that enables code execution with SYSTEM privileges via a specially crafted credentials in ECS task definitions. Impacted versions: Version 1.47.0 through 1.102.2 of the ECS Agent for Windows Please refer to the article below for the most up-to-date and complete information related to this AWS Security Bulletin.
CSIRTS triage
- What
- There is a command injection issue in FSx volume mounting that enables code execution with SYSTEM privileges.
- Who is affected
- Deployments of ECS Agent for Windows versions 1.47.0 through 1.102.2.
- Urgency
- Remediation is important as it allows for remote code execution with high privileges.
- Action
- Update to a patched version of the ECS Agent.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch ECS Agent
Get an email when a new ECS Agent advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://aws.amazon.com/security/security-bulletins/rss/2026-024-aws/
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-74610.55% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 42% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-7461 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for - OS Command
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownCVE-2026-15081: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerabi…nvd · 2026-07-10
- unknownCVE-2026-13242: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerabi…nvd · 2026-07-10
- unknownCVE-2026-45203: Kernel software installed and running inside a Host VM may post improper commands to the GPU F…nvd · 2026-07-10
- unknownCVE-2026-45196: Kernel software installed and running inside a Host VM may post improper commands to the GPU F…nvd · 2026-07-10
- criticalGHSA-m93h-4hw7-5qcm: File Browser: Command Injection via Authentication Hook Shell Substitution (Pre-Authentic…ghsa · 2026-07-10
- criticalCVE-2026-5801: Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerabil…nvd · 2026-07-10
More from AWS Security Bulletins
- unknownCVE-2026-14904 - Improper Link Resolution in Auth.GetUserPrivateKey in AWS Research and Engineering Studio2026-07-07
- unknownCVE-2026-14471 - Authenticated SQL injection in the metrics-service retention policy subsystem of mcp-gateway-…2026-07-06
- unknownCVE-2026-14265- Deserialization of Untrusted Data in AWS Advanced JDBC Wrapper RemoteQueryCachePlugin2026-07-01
- unknownCVE-2026-13760 - OS Command Injection in NodejsFunction Docker Bundling in aws-cdk-lib2026-07-01
- unknownCVE-2026-13769 – Insecure file permissions in AWS CLI2026-07-01